Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN / NAT Problem

Hi I have quite a complex (to explain) VPN problem, I've built a model in GNS3 but I still cant get it to work. here is the topology


1. SiteW is the main site, if W-CLient wants to talk to S-Client (on SiteS) the traffic is simply NATTED to and sent there (this works fine).

2. SiteB is a new site, Ive set that up with a Site to Site VPN, that works fine.

New Requirement

If a user at SiteB wants to Talk to a Client at SiteS, then the traffic should go over the existing VPN to W-FW1 then get decrypted and routed there. This is the bit I CANNOT despite HOURS of tweaking and testing get to work.

What I've done

On W-FW2

Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;

object network S-CLIENTS
access-list VPN-INTERESTING-TRAFIC extended permit ip object B-CLIENTS object S-CLIENTS
nat (inside,outside) source static B-CLIENTS B-CLIENTS destination static S-CLIENTS S-CLIENTS


On W-FW1

Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;

object network S-CLIENTS
access-list VPN-INTERESTING-TRAFIC extended permit ip object S-CLIENTS object B-CLIENTS
nat (inside,outside) source static S-CLIENTS S-CLIENTS destination static B-CLIENTS B-CLIENTS

At this point packet tracer said the traffic was being blocked by ACL so I added

access-list inbound extended permit ip object B-CLIENTS object S-CLIENTS
access-list inbound extended permit icmp object B-CLIENTS object S-CLIENTS
access-group inbound in interface outside

Now Packet Tracer was happy, Still B-Client Cannot Ping S-Client!

W-FW1 can ping S-Client

Attempting to ping S-Client from B-Client brings up the tunnel (phase 1 and 2) but no traffic ever travels BACK to B-Client.

Running Wireshark on the interface of S-FW1 whilst attempting to ping from S-FW1 shows traffic (as expected) but if I ping from B-Client it gets nothing (so I'm assuming the traffic never gets out of W-FW1







  • VPN
Cisco Employee

First check if the packet

First check if the packet from the S client is making it back to the W-F1. 

Configure Captures on the interface that is connected to the 106.200.194 subnet. 

#cap capin interface <interface name> match ip host <sclient ip> host <bclient ip>

#show cap capin

Capture is bidirectional. Hence no need to enable it in the opposite direction.

If the packet is seen coming back from the  Sclient and still not getting encrypted then do asp drop capture to see if the ASA is dropping it

#capture asp type asp-drop all

send the traffic.

#show cap asp | in <Sclient IP>

If the packet is see in this capture then the ASA is dropping it.

Then do a packet tracer to see why it is dropping it.

#packet-t input <Sclient connected interface name> icmp <sclient IP> 8 0 <b client IP> det.

Check why the packet is dropping.

if the capin capture does not see the reply packet then check the reply path and routing.



New Member

Hi Capture on the W-FW1



Capture on the W-FW1 interface (S-Interface as per

capture capin interface s-interface match icmp host host

Send Ping from B-Client to S-Client and no traffic was captured on the W-FW1 (s-interface)

W-FW1(config)# show cap capin

0 packet captured

0 packet shown

I think that's the crux of the problem - traffic flows from B-Client, over the VPN into W-FW1, it gets decrypted and never gets sent out of the s-interface, it should do because W-FW1 has...

route s-interface 1
object network S-INTERFACE-NAT
 nat (any,s-interface) dynamic interface







New Member

Fixed IT!!!!!!I simply needed

Fixed IT!!!!!!

I simply needed to add no-proxy-arp route-lookup to my NAT statements!!!

Woo Hooo {Technical dance!}



This widget could not be displayed.