Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Problem with VPN Policy Nat on Cisco ASA

Avatar of cns13
cns13Flag for United States of America asked on
Hardware Firewalls
4 Comments1 Solution1730 ViewsLast Modified:
I have a Cisco ASA policy nat issue that's vexing me.  I'm trying to build a vpn between my customer's ASA and an outside vendor.  My customer has an inside range of 10.1.1.x/24, so I am policy natting it on my side.  My customer has a server at that must be visible across the vpn.   The vendor has asked me to nat it to  (The vendor's subnet is  So I've put the following lines in my config:

access-list vpn extended permit ip host
access-list nat extended permit ip host
static (inside,outside)  access-list nat

When I do a "show xlate" command I see the following:

Global Local

That suggests my translation is working.  And when I do a "show nat" command I get:

  match ip inside host outside
    static translation to
    translate_hits = 0, untranslate_hits = 54

I'm wondering there if the 0 translated hits is a problem or not.

The issue is this.  The tunnel comes up fine.  And the vendor can send traffic to me, but I send no return traffic to him.  When I do a "sho crypto" command I see the following:

    Crypto map tag: VPN, seq num: 3, local addr: 64.69.xxx.xxx

      access-list vpn permit ip host
      local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (
      current_peer: 198.245.xxx.xxx

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 169, #pkts decrypt: 169, #pkts verify: 169
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

So I have gotten 169 packets but haven't sent any back.  And in my log files I'm seeing the following:

Jan 22 2009 13:04:50: %ASA-3-106014: Deny inbound icmp src inside: dst inside: (type 0, code 0)

That seems odd to me, as the address shouldn't show as an "inside" address if it's the other end of a vpn tunnel, should it?

It seems like something isn't set quite right.

Avatar of JFrederick29
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answers