vpn issues urgent

Unanswered Question
Aug 30th, 2007

Hi all, we have recently set up a remote access vpn using vpn client, this terminates on a asa5520, I am getting issues now where my clients connect fine to the vpn, and get a dhcp address etc, but then cant see anywhere inside my lan, it works fine from broadband etc at home, but I tried to access it via a vodaphone 3g card, and other users from other companies say they are now having this issue also, what could the problem be as routing surely is fine as they can get the vpn connected, please can anyone help ??


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 08/30/2007 - 06:08

How about a config?

Make sure you have crypto isakmp nat-traversal.

carl_townshend Thu, 08/30/2007 - 06:13

what does that do??

I dont understand why it does not work for some people, as they do get connected and get an ip address from the device, I cannot get a config at the moment, has anyone had any similar probs like this ??


acomiskey Thu, 08/30/2007 - 06:16


This allows people coming from behind nat devices to use nat-t udp 4500. Your symptoms are exactly what would occur if it was not enabled. The client will connect but not be able to pass traffic.

This command is disabled by default and is the #1 issue for remote access vpns.

carl_townshend Thu, 08/30/2007 - 06:53

thanks for that

Can you please explain what this exaclty does for the client end, and what does this command do ?

carl_townshend Thu, 08/30/2007 - 07:06

Is this all tunneled in port 80 ?

and how to I turn this command on via the ASDM manager ?

thanks for the prompt response


acomiskey Thu, 08/30/2007 - 07:15

We're talking about ipsec vpn here right?

No, it is tunneled in udp port 4500.

Configuration -> VPN -> IKE -> Global Parameters -> Check box for "Enable IPSec over NAT-T"

carl_townshend Thu, 08/30/2007 - 07:27

but how is this so, I thought vpn is tunneled across the web using port 80, as my firewall only allows clients to go out on port 80, how will it let port 4500 out ?

please explain


acomiskey Thu, 08/30/2007 - 07:55

I'm sorry I don't understand what you mean.

VPN clients accessing your firewall are connecting on udp 500 or 4500, not port 80.

You may be allowing internal clients out on port 80, this has nothing to do with vpn clients connecting to your firewall.

Please explain.

carl_townshend Thu, 08/30/2007 - 08:00

i always thought ipsec tunnels via port 80, so If I was behind a firewall internally, and wanted to allow vpn clients from inside to vpn out, would I need to allow them ports from inside to anywhere outside ?


acomiskey Thu, 08/30/2007 - 08:37


You would need to allow them access to wherever they were attempting to vpn to.

I think we're getting off the subject a little. Did you try to enable nat-t in ASDM? Did it solve your problem?


This Discussion