Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

NAT VPN no traffic, 106014 deny inbound

I'm not sure if this should go in the Security section or here, but perhaps someone can help with this configuration?

Trying to NAT the internal IP to another subnet so the destination end doesn't clash. The tunnel comes up fine, but traffic does not pass over it. If I send a ping to the destination, it gives "106014 deny inbound icmp src inside: dst outside: (type 8, code 0)". I know there's something fundamental wrong, but can't spot it.

Local site, local NAT to, remote site


access-list outside_access_in extended permit ip

access-list SiteName_access extended permit ip

access-list SiteName_NAT extended permit ip

access-list SiteName_cryptomap extended permit ip


nat (inside) 0 access-list inside_nat0_outbound

nat (outside) 0 access-list outside_nat0_outbound

static (inside,outside) access-list SiteName_NAT

access-group outside_access_in in interface outside

route outside a.b.c.d outside_router 1


crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto map outside_map 3 match address SiteName_cryptomap

crypto map outside_map 3 set pfs

crypto map outside_map 3 set peer a.b.c.d

crypto map outside_map 3 set transform-set ESP-AES-256-MD5

crypto map outside_map 3 set security-association lifetime seconds 3600

crypto map outside_map 3 set reverse-route

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 28800

no crypto isakmp nat-traversal


group-policy SiteName internal

group-policy SiteName attributes

vpn-filter value SiteName_access

vpn-tunnel-protocol IPSec


tunnel-group a.b.c.d type ipsec-l2l

tunnel-group a.b.c.d general-attributes

default-group-policy SiteName

tunnel-group a.b.c.d ipsec-attributes

pre-shared-key Mykey

  • Other Security Subjects

Re: NAT VPN no traffic, 106014 deny inbound

Without seeing you no-nat rules, it's hard to say.

Below is a config example of NAT'ing & VPN's - which is what you are trying to do.


Re: NAT VPN no traffic, 106014 deny inbound

it also looks like you have an ACL on the inside interface inbound? Is this the case?

New Member

Re: NAT VPN no traffic, 106014 deny inbound

did you ever get an answer for this error? i am having the exact same problem. I have tryed everything and nothing works.