Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


ASA Can perform 'policy NAT' but VPNs not work


Have not stayed in US or UK other than for a couple of vacation/work trips. Was at the Cisco Live! 2013 London last year.

The thing is, we start to learn English from age 9 or so at third grade so there has been plenty of time to learn and considering all the TV Series/Movies/Games are in English (atleast the good ones ) its pretty inevitable that you will learn some English. Also same thing with my networking studies, all in English. Main problem is that you tend to get to write it more than actually talk it.

- Jouni


Re: ASA Can perform 'policy NAT' but VPNs not work

Hi Jouni,

Just a quick update, and a bit of a strange one but I'm getting these results...

Version 8.6.1

Method 1 :

nat (hostcust01-outside,hostcust01-inside) after-auto source static any any destination static hostcust01-outside-PAT hostcust01-inside-nets

nat (hostcust02-outside,hostcust02-inside) after-auto source static any any destination static hostcust02-outside-PAT hostcust02-inside-nets

These NAT commands work and traffic uses the correct egress depending on source IP

Method 2:

nat (hostcust01-inside,hostcust01-outside) after-auto source dynamic hostcust01-inside-nets hostcust02-outside-PAT destination static ALL ALL

nat (hostcust02-inside,hostcust02-outside) after-auto source dynamic hostcust02-inside-nets hostcust02-outside-PAT destination static ALL ALL

These commands do not work

Upgrade to Version 9.1.1

Once upgraded the opposite to applies, method 1 does NOT work, however, method 2 does

But VPN identity NAT still refuses to work,  whichever IOS is used, so it still can not be deployed in a customer network, the ASA seems to ignore the identity NAT rules even though they are at the top of the NAT list

I'll try to engage TAC

Cheers Tony


ASA Can perform 'policy NAT' but VPNs not work

I drew a blank with TAC as they won't open a case for me without a support contract.... to fix the problem in their ASA X series platform :-/

I've worked around the issue by utilising the 2 default contexts and have a dedicated VPN context now (L2L VPN supported in 9.1.1)

So now I've got policy based static nat and L2L VPN working.

Regards Tony

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here