Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

No-NAT ACL Not Being Enforced For New S-2-S VPN

Hi All,

I recently upgraded one of our ASA's a couple of weeks ago from 7.x to 8.0.3. This particular ASA currently only has the 1 VPN terminated on it and all is functioning OK. Yesterday I needed to terminate an additional VPN on the ASA but could not get it working for the life of me. I ripped it all out (via the CLI) and put it back in again still no joy, compared it to the existing VPN details, all bang on. Stripped it all out again and used the ASDM VPN Wizard (OMG, how quick and easy is this, i'm a CLI stalwart!) still no joy. One thing that kept cropping up though whilst configuring the ASA via both the CLI and ASDM was the following error when entering the no-nat statement/s "unable to download NAT policy for ACE". No, we don't use AAA for downloading of ACL's nor a RADIUS server before anybody asks. I have spoken to a Security IE on this who tells me that he has not come across this issue before, his recommendation was to downgrade to 8.0.2

I tried the packet-tracer command and sure enough it confirms that the ASA is ignoring the relevant line of my NO-NAT ACL which says don't NAT source x to dst y.

Anybody come across this before?

Cisco Employee

Re: No-NAT ACL Not Being Enforced For New S-2-S VPN


This is a defect. A workaround is to unapply nat0, and then modify the NAT ACL, and then re-apply nat0.

The bug id is CSCsl46310. To get a release of code that this is fixed in, you'll need to open a TAC case.

Bug link: