Client VPN through ASA

Unanswered Question
Aug 22nd, 2007
User Badges:


Does anyone know whats going on here? One of the clients on the network launches a cisco vpn client to an external resource and the client connects and is authenticated but no traffic passes.

PAT is in use on the outside interface.

I have enabled nat traversal and sysopt connection permit-ipsec.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Wed, 08/22/2007 - 07:06
User Badges:
  • Bronze, 100 points or more

Hi, it is not you but the owner of the remote vpn server that has to enable nat traversal as it is part of the IKE negotiation between the IPSec peers.



kinskins01 Wed, 08/22/2007 - 07:38
User Badges:

HI thanks for the response.

I have recently replaced a Sonicwall with an ASA and the connection worked fine through the Sonicwall.

Any ideas?

mattiaseriksson Wed, 08/22/2007 - 07:50
User Badges:
  • Bronze, 100 points or more

If you only have one client on your LAN you can use IPSec passthrough which is not enabled by default.

In ASA I think the command is inspect ipsec-pass-thru.

A sonicwall has probably all features enabled by default, wouldn't suprise me.

kinskins01 Thu, 08/23/2007 - 00:46
User Badges:


When the vpn was established from the client I got the following warnings on the ASA:

regular translation creation failed for protocol 50 src inside:192.X.X.X. dst outside:159.X.X.X

Its related to PAT so I went and put in a static entry for the client so it nats out to its own Public IP and hey presto it worked.

Thanks for your help

anandramapathy Thu, 08/23/2007 - 05:12
User Badges:
  • Bronze, 100 points or more

Right -

This is usually set on the Remote server end.

The option - IKE over TCP & Port number is available in the client. there is a UDP option also for this.

The default port for cisco is 10000.

you can find this by inititing a session form the client & typing the following command

show conn local ( ip of the client )

it will show you the connections


This Discussion