ASA5505 unable to VPN over a NAT'd address

Unanswered Question
Jun 23rd, 2008


I am trying to migrate to a ASA5505 from our pix.

Most of our network uses PAT on our outside interface but I have a small pool of address which I NAT to on the inside, but when I do this they are unable to VPN out to remote sites.

This worked great on the Pix but not on the ASA. I can see port udp 500 coming back to the client but port udp 4500 disappears on its return journey between the two ASA interfaces.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
chrisdavin Mon, 06/23/2008 - 08:03


This is not a connection to the ASA. But a connection through it whilst using a NAT'd IP.

I have assigned a NAT to a PC on the inside of the ASA but when the PC opens a cisco vpn client and tries to connect to a remote cisco firewall the user is unable to connect, but when he uses a PAT'd address it works fine.


Amadou TOURE Mon, 06/23/2008 - 09:20


What is the IP of your PC accordingly your configuration file ?


chrisdavin Mon, 06/23/2008 - 09:42


The PC is

The old Pix line used to be

static (inside,outside) netmask

for sixteen addresses.

I have just got it to work by using the following two lines

global (outside) 2

nat (inside) 2

I can't believe the above (times sixteen) is the only way to get it working is 32 lines instead of just using 1 line.


Amadou TOURE Mon, 06/23/2008 - 09:52

Your configuration (with global) is a dynamic NAT so it's unidirectional while static is bidirectional.

Did you change something in the client configuration ?

what are the client parameters ?

Amadou TOURE Mon, 06/23/2008 - 09:54

I meant that this NAT configuration could determine the behavior of the server side by usinf NAT-transversal or not

chrisdavin Tue, 06/24/2008 - 00:08

I have done the isakmp nat-traversal but did not make any difference.

mohammed_moustafa Tue, 06/24/2008 - 01:47

Hi Chris,

when you added this line to ASA it didn't work? 'static (inside,outside) netmask '


chrisdavin Tue, 06/24/2008 - 02:06


It did work. I checked whatsmyip to confirm it was translating ok.

I can see udp 500 coming back to the client but udp 4500 only gets back as far as the outside interface but never exits the internal interface to reach the client.

So the NAT is definately working but it just does not pass back the udp 4500.


This Discussion