Hi,

I found very strange issue regarding L2L IPSec VPN tunnel.

on ASA 5510 I have Site to Site Tunnels created for many clients and they all are working fine.

Now for new client I am creating VPN tunnel and as soon as I add nonat statement, I see that I have no connection to ASA 5510 and Internet also disconnects for every one,

I have to wait to 30 seconds then Internet comes up and Everything works fine but I see nonat stement is not added.

sh run nat

nat (INSIDE-VL10) 0 access-list INSIDE_NAT0

nat (INSIDE-VL10) 1 10.7.10.0 255.255.255.0

nat (INSIDE-VL15) 0 access-list INSIDE_NAT0

nat (INSIDE-VL15) 1 10.7.15.0 255.255.255.0

nat (INSIDE-VL5) 0 access-list INSIDE_NAT0

nat (INSIDE-VL5) 1 10.7.5.0 255.255.255.0

nat (INSIDE-VL25) 0 access-list INSIDE_NAT0

nat (INSIDE-VL25) 1 10.7.25.0 255.255.255.0

sh run access-list INSIDE_NAT0

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN object-group CLIENT1_LAN

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN object-group CLIENT11_LAN

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-SF object-group ABC_LAN-NET

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-NET object-group ABC_LAN-SF

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-ML object-group ABC_LAN-NET

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-NET object-group ABC_LAN-ML

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN object-group CLIENT2_LAN

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-NET object-group ABC_LAN_RVPN-ADMIN

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN object-group CLIENT3_LAN

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-SS object-group CLIENT4_LAN

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-SS object-group CLIENT5_LAN

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN object-group CLIENT6_LAN

########################New Config

object-group network NEWCLIENT_LAN

network-object 10.34.123.184 255.255.255.252

network-object 10.34.185.224 255.255.255.248

network-object 10.45.103.192 255.255.255.192

access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-SS object-group NEWCLIENT_LAN

access-list VPN_ABC-NEWCLIENT extended permit ip object-group ABC_LAN-SS object-group NEWCLIENT_LAN

access-list VPN-FILTER_NEWCLIENT-ABC extended permit ip object-group NEWCLIENT_LAN object-group ABC_LAN-SS

crypto map outside_map0 25 match address VPN_ABC-NEWCLIENT

crypto map outside_map0 25 set pfs

crypto map outside_map0 25 set peer 6.6.6.6

crypto map outside_map0 25 set transform-set ESP-AES-256-SHA

crypto map outside_map0 25 set security-association lifetime seconds 28800

group-policy VPNGP_ABC-NEWCLIENT internal

group-policy VPNGP_ABC-NEWCLIENT attributes

vpn-filter value VPN-FILTER_NEWCLIENT-ABC

tunnel-group 6.6.6.6 type ipsec-l2l

tunnel-group 6.6.6.6 general-attributes

default-group-policy VPNGP_ABC-NEWCLIENT

tunnel-group 6.6.6.6 ipsec-attributes

pre-shared-key fdfsf

isakmp keepalive threshold 30 retry 5

route OUTSIDE 10.34.123.184 255.255.255.252 183.82.0.1 1

route OUTSIDE 10.34.185.224 255.255.255.248 183.82.0.1 1

route OUTSIDE 10.45.103.192 255.255.255.192 183.82.0.1 1