Showing results for 
Search instead for 
Did you mean: 
Cisco Employee
Cisco Employee

Reference document for handling the nat aspect of U-turning RA VPN Client traffic

Example of Uturning Internet traffic (ie VPN connects with a tunnel all policy but you still need Internet access)

Topology  inside(ASA1)outside------------Internet


                                             ===VPN===VPN  Client (vpnclient pool

object network obj-vpnpool


     nat (outside,outside) dynamic interface

Example of Uturning RA VPN traffic accross another L2L (ie your VPN client connects to one ASA but needs to reach remote subnets at another ASA accross a L2L tunnel)

Topology inside(ASA1)outside===VPN==outside(ASA2)inside


                                             ===VPN===VPN Client (vpnclient pool

object network obj-vpnpool


object network obj-remote


nat (outside,outside) 1 source static obj-vpnpool obj-vpnpool destination static obj-remote obj-remote

You may also need the reverse (logs will indicate assymetric entry) if you are running code without the fix for CSCth72642:

nat (outside,outside) 2 source static obj-remote obj-remote destination static obj-vpnpool obj-vpnpool

*Note: Due to bug CSCtf89372, I use the "1" in the command above to put the vpn nat statement at the top of all my nat statements.

Related Information

Level 1
Level 1

This helped me out with getting my config working!! Thank allot.

The fix for CSCth72642 is for the Asymetric error?

how do I apply this fix?

Thanks again.

Hi hdashnau,

This helped me get a little bit closer to giving my vpn l2tp/ipsec users internet access through the tunnel but it seems that I get the response from the dns server and nothing more. This is my config omitting unnecessary information:

group-policy my-policy attributes

 split-tunnel-policy tunnelall

object network vpn_client

 nat (outside,outside) dynamic interface

I also tried this other nat rule and got the same result:

nat (outside,outside) source dynamic vpn_client interface

I will really appreciate the help. Thanks in advance

Level 1
Level 1


you need this command: "same-security-traffic permit  intra-interface"




To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command.

same-security-traffic permit {inter-interface | intra-interface}

no same-security-traffic permit {inter-interface | intra-interface}

Syntax Description



Permits communication between different interfaces that have the same security level.


Permits communication in and out of the same interface.

Thanks for the tip, I was missing exactly that. Everything is working flawlessly now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: