Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WAAS - WAE and Servers behind NAT


I have the attached network topology:

A VPN is setup between the Branch RTR and DC Tier1 ASA. Branch WAE is registered with the natted IP of the core CM on Y.Y.Y.a. Branch users access the servers on their natted IPs Y.Y.Y.Y/16. At the Branch wccp redirection is setup at the Branch router while at the DC L2 redirection is configured on the Core SW.

I got the follwoing results from the tests I perfomed:

  • With the VPN at the DC terminated on Tier1 ASA, traffic is not being optimization and even dropped after activating wccp redirection. the Branch WAE is able to see the connection statistics with the peer wae while the Core WAE is able to the connections without the peer. In brief no optimization is occurring and traffic is being dropped.
  • With the VPN at the DC terminated on Tier2 ASA (matching traffic changed to X.X.X.X/16 -> Z.Z.Z.Z/16), optimization is wotking properly
  • With the VPN at the DC terminated on Tier1 ASA with identity nat configured on Tier2 ASA (Z.Z.Z.Z/16 - Z.Z.Z.Z/16), optimization is working properly

As a summary it seems it is something related to a NAT issue where the Branch  WAE is seeing the initiated sessions as X.X.X.X/16 - Y.Y.Y.Y/16 while the core sees them as Z.Z.Z.Z/16 - X.X.X.X/16.

Considering that I cannot perform identity nat or terminate the VPN on Tier2 ASA, is there any solution to make the waas work with the servers natted to the Y.Y.Y.Y/16 range?



Everyone's tags (3)
Cisco Employee

Re: WAAS - WAE and Servers behind NAT

Hi Jad,

Thanks for your post.  For the results you describe in the first bullet ("VPN at the DC terminated on Tier1 ASA"), can you please post the relevant output from the command sh stat conn on each WAE?