Avatar of cns13
cns13Flag for United States of America

asked on 

Problem with VPN Policy Nat on Cisco ASA

I have a Cisco ASA policy nat issue that's vexing me.  I'm trying to build a vpn between my customer's ASA and an outside vendor.  My customer has an inside range of 10.1.1.x/24, so I am policy natting it on my side.  My customer has a server at that must be visible across the vpn.   The vendor has asked me to nat it to  (The vendor's subnet is  So I've put the following lines in my config:

access-list vpn extended permit ip host
access-list nat extended permit ip host
static (inside,outside)  access-list nat

When I do a "show xlate" command I see the following:

Global Local

That suggests my translation is working.  And when I do a "show nat" command I get:

  match ip inside host outside
    static translation to
    translate_hits = 0, untranslate_hits = 54

I'm wondering there if the 0 translated hits is a problem or not.

The issue is this.  The tunnel comes up fine.  And the vendor can send traffic to me, but I send no return traffic to him.  When I do a "sho crypto" command I see the following:

    Crypto map tag: VPN, seq num: 3, local addr: 64.69.xxx.xxx

      access-list vpn permit ip host
      local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (
      current_peer: 198.245.xxx.xxx

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 169, #pkts decrypt: 169, #pkts verify: 169
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

So I have gotten 169 packets but haven't sent any back.  And in my log files I'm seeing the following:

Jan 22 2009 13:04:50: %ASA-3-106014: Deny inbound icmp src inside: dst inside: (type 0, code 0)

That seems odd to me, as the address shouldn't show as an "inside" address if it's the other end of a vpn tunnel, should it?

It seems like something isn't set quite right.

Hardware Firewalls

Avatar of undefined
Last Comment
Avatar of JFrederick29
Flag of United States of America image

Config looks good and you are right in your thinking that traffic is coming in but no return traffic is making it back over the tunnel.

Make sure the ASA has a route to the vendor subnet via the outside interface:

route outside <outside next hop>

Also, verify their is routing on the inside to the subnet via this ASA if it is not "the" Internet Firewall that the inside default route/gateway points to.
Avatar of cns13
Flag of United States of America image


Thanks JFrederick29.

Not sure about adding the route though:

route outside <outside next hop>

I've built probably a thousand vpn tunnels on Pixes and ASAs over the past ten years and never had to do that.  (In fact, I've built tunnels with exactly this kind of policy natting on old Pix 6.3 code and had it work fine.)  The traffic to that subnet should traverse the vpn tunnel once it's established.

The routing internal to the 10.1.1.x network is good as this is the only path out of the network.  So the default route covers it.  (And if the routing were wrong I wouldn't be seeing the error messages in my log files.)

Avatar of JFrederick29
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of cns13
Flag of United States of America image


Arrrg . . .

". . . and no 10.x.x.x routes to the inside,"  Crap, that was it.  I had a summarized route pointing all traffic back to their internal WAN router.  I didn't think to look there as I normally never do that for exactly this reason.  But after you said that I went back and checked and that was it.

I hate it when it's the dumb stuff.

Thanks for your help.

Hardware Firewalls
Hardware Firewalls

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo