Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN tunnel went down after upgrading intermediate ASA to 8.4

I have site to site VPN tunnel configured between 2 ASAs. The tunnelled traffic passes through my internet firewall. Recently I upgraded my internet firewall to 8.4 while my VPN ASAs run 8.2 image.

After Upgrading my internet firewall to 8.4,VPN tunnel went down. I can see encrypted packets increasing on  VPN box behind my internet ASA but don't see any decrypted packets. Neither I can see hits on internet firewall.

Is there something which I have to look at in 8.4 configuration on my internet firewall?


Everyone's tags (1)
New Member

Hi!In case you use nat for


In case you use nat for your internal vpn box and upgraded your internet asa from a pre-8.3 version towards 8.4, check following document:

Basically you should change your inbound acl rule to allow vpn traffic towards the internal ip address of the vpn box and make a nat rule with source external public ip to inside internal ip.



Hi, There are notable changes



There are notable changes in ACL and NAT syntax in new 8.3+ version of ASA.... If you have NAT or NAT-exemption, you need to modify that accordingly. Also you ACL should reflect the real ip's of the segment rather mapping the NATed IP in ACL's.... So all these things you need to take care....


Earlier in 8.2 version.... for your inbound acl, which is applied on outside interface.... you could have mentioned a rule like this

access-list inbound permit ip host host

(where is the source from outside and is the NATed ip address of the segment, which has a private IP segment as its real ip...say

Your new version 8.3+ should have

access-list inbound permit ip host host





CreatePlease to create content