VPN Passthrough question

Unanswered Question
Mar 11th, 2008
User Badges:

How do I allow VPN passthrough on my ASA 5505? I believe I need to allow at leaste ports 500 udp and 4500 udp and port 50 TCP??

Can someone please give example of correct access-list needed.

Thank you in advance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Tue, 03/11/2008 - 11:19
User Badges:
  • Blue, 1500 points or more

here's a generic config for enabling ipsec passthru...

class-map ike_traffic

match port udp eq 500

policy-map global_policy

class ike_traffic

inspect ipsec-pass-thru

access-list outside_in permit udp any any eq 500

access-group outside_in in interface outside


just to be sure, you have a vpn device behind (internal to) the asa 5505 and you're not terminating vpn's on the 5505?

cejhelp04 Tue, 03/11/2008 - 13:02
User Badges:

Thank you srue for your response. I have tried working with the config you posted, but I have not had success so far.

To your question, I am hoping to use the Cisco software VPN client as the endpoint behind the asa 5505.

I am trying to avoid terminating on the 5505 itself, as I would prefer no auto connect, and also want to limit vpn access only to computers with the software client installed.

Is this a logical pursuit?




This Discussion