diff --git a/apps/rego-tunnel/shared/cisco-vpn b/apps/rego-tunnel/shared/cisco-vpn
index 70dca5f..c27f95b 100755
--- a/apps/rego-tunnel/shared/cisco-vpn
+++ b/apps/rego-tunnel/shared/cisco-vpn
@@ -341,32 +341,34 @@ setup_forwarding() {
         log DEBUG "NAT masquerade for container network already exists"
     fi
 
-    # Forward rules - MUST be inserted at position 1 to run BEFORE cisco VPN chains
+    # Forward rules - MUST be at position 1 to run BEFORE cisco VPN chains
     # The cisco VPN chains have catch-all DROP rules that would block our traffic
-    if ! iptables -C FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
-        run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT
+
+    # Wait for Cisco to create its chains (they appear after VPN connects)
+    local wait_count=0
+    while ! iptables -L ciscovpn -n &>/dev/null && [ $wait_count -lt 30 ]; do
+        log DEBUG "Waiting for Cisco VPN chains to be created..."
+        sleep 1
+        ((wait_count++))
+    done
+
+    if iptables -L ciscovpn -n &>/dev/null; then
+        log DEBUG "Cisco VPN chains detected"
     else
-        log DEBUG "Forward rule (to target) already exists"
+        log WARN "Cisco VPN chains not created after ${wait_count}s - proceeding anyway"
     fi
 
-    if ! iptables -C FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
-        run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT
-    else
-        log DEBUG "Forward rule (from target) already exists"
-    fi
+    # Remove any existing rules first (ignore errors if they don't exist)
+    iptables -D FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true
+    iptables -D FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null || true
+    iptables -D FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null || true
+    iptables -D FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null || true
 
-    # Accept forwarding from container network
-    if ! iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
-        run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s 172.31.0.0/24 -j ACCEPT
-    else
-        log DEBUG "Forward rule (from container network) already exists"
-    fi
-
-    if ! iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
-        run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d 172.31.0.0/24 -j ACCEPT
-    else
-        log DEBUG "Forward rule (to container network) already exists"
-    fi
+    # Insert at position 1 (reverse order so they end up in correct order)
+    run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d 172.31.0.0/24 -j ACCEPT
+    run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s 172.31.0.0/24 -j ACCEPT
+    run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT
+    run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT
 
     # Cisco VPN chain bypass (insert at top if chain exists)
     if iptables -L ciscovpn -n &>/dev/null; then