Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Remote Access VPN stops traffic from another Site2Site VPN



we are facing some strange problems with a VPN connection.


We have three networks:
The destination network ( /24), the network of our  headquarter ( and the network of our branche (

In the headquarter we are using a ASA5515 and in the branche a ASA 5505. Unfortunately we don't have administrative access to the firewall of the destination.

Both, the headquarter and the destination, have static IPs and are connected with Site-2-Site VPN - everything works fine.

The branche has a dynamic IP and is connected with RemoteAccess VPN to the headquarter. This VPN also works without problems.

Now I'd like to give the branche access to the destination network.

On the branche ASA I added a new traffic selection to the existing VPN tunnel (Branche <-> Headquarter):

(Source:, Destination: /24)

On the headquarter I also added a new traffic selection to the existing tunnel (Headquarter <-> Destination)

((Source:, Destination: /24))

Now the strange thing happens:

I can ping the destination from the headquarter.

As soon as I start ping a device in the destination network from the branche, the headquarter ping stops. Now I can access the destination network from the branche but no more from the headquarter. Only when I delete the traffic selection in the headquarter ASA and apply the settings everthing is back to normal: The ping from the branche stops and the ping from the headquarter starts again.

Any ideas?


Everyone's tags (1)
Community Member

I suspect you did not

I suspect you did not configure symmetric traffic selector on headquarter, branch and destination.

on branch:>> /24


on headquarter:

to branch:> /24--->

To destination:> /24> /24


On Destination: /24---> /24--->

Hi smiller_81, Since you do

Hi smiller_81,


Since you do not have administrative rights on destination firewall, you cannot modify tunnel configuration.


So you include a permit traffic from branch to destination lan segment and similarly you permit from headquarter's side permit destination to branch lan segment i.e. tunnel bound traffic normally would.


This where the magic take place.

Your need a dynamic policy-nat on your ASA, as such below.


object network branch-subnet


object-group network destination-lan

object network headquarter-unused-ip


nat (outside,outside) source dynamic branch-subnet headquarter-unused-ip destination static destination-lan destination-lan


Let me know, if this make sense to you.



Rizwan Rafeek




CreatePlease to create content