Hi,

I have the attached network topology:

A VPN is setup between the Branch RTR and DC Tier1 ASA. Branch WAE is registered with the natted IP of the core CM on Y.Y.Y.a. Branch users access the servers on their natted IPs Y.Y.Y.Y/16. At the Branch wccp redirection is setup at the Branch router while at the DC L2 redirection is configured on the Core SW.

I got the follwoing results from the tests I perfomed:

• With the VPN at the DC terminated on Tier1 ASA, traffic is not being optimization and even dropped after activating wccp redirection. the Branch WAE is able to see the connection statistics with the peer wae while the Core WAE is able to the connections without the peer. In brief no optimization is occurring and traffic is being dropped.
• With the VPN at the DC terminated on Tier2 ASA (matching traffic changed to X.X.X.X/16 -> Z.Z.Z.Z/16), optimization is wotking properly
• With the VPN at the DC terminated on Tier1 ASA with identity nat configured on Tier2 ASA (Z.Z.Z.Z/16 - Z.Z.Z.Z/16), optimization is working properly

As a summary it seems it is something related to a NAT issue where the Branch  WAE is seeing the initiated sessions as X.X.X.X/16 - Y.Y.Y.Y/16 while the core sees them as Z.Z.Z.Z/16 - X.X.X.X/16.

Considering that I cannot perform identity nat or terminate the VPN on Tier2 ASA, is there any solution to make the waas work with the servers natted to the Y.Y.Y.Y/16 range?

Regards,

Jad