New VPN setup for ASA5505 - Getting from the Internet to the ASA

Unanswered Question
Sep 11th, 2008

I am setting up an ASA5505 for IPsec VPN and cannot get the VPN client to connect.

The modem/router at the ASA site is a ZyXel 660. How do I get the ISP-provided DSL WAN address to the ASA5505? Port forwarding on the ZyXel? Basically, forward all traffic to the ASA?

Currently the ZyXel has assigned to the ASA. Do I also need to manually assign the ZyXel's WAN IP to the outside vlan on the ASA?

Regards from the Cisco newbie!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
dhananjoy chowdhury Thu, 09/11/2008 - 22:55

You can configure the Zyxel modem in bridge mode and then configure the ASA box as a PPPoE client.

Then the ASA box Outside interface will get the public

But the only problem I see is if the ISP is giving you dynamic IP's.

Everytime the IP changes you need to make changes at the IPSEC vpn peer site.

obeat4cisco Wed, 09/17/2008 - 19:24

I configured the ZyXel for bridge mode and proceeded with the pppoe setup on the ASA.

The outside vlan got an IP, but I couldn't get out from the inside vlan.

A call to my DSL provider to see if there was a pppoe username and password revealed that they have moved away from pppoe and only provide DHCP or static IP service.

I configured outside to obtain an IP using DHCP and checked the box to configure the default route and everything worked.

Now I'm on to getting the VPN connection working (connecting from home to the ASA). I can connect using the VPN client but cannot see any resources on the inside vlan. Nothing is pingable, including the ASA.

My router at home was using the same subnet range as the inside vlan (192.168.1.x), so I changed the home router to use 192.168.10.x but still no luck. I am receiving an IP from the inside vlan's DHCP pool.

I am wondering if the following is what I need:

access-list Local_LAN_Access permit ip

Am I on the right track?


tyagi.v Wed, 09/17/2008 - 19:32


Try these commands:-

crypto isakmp nat-traversal

sysopt connection permit-ipsec

Please rate if it works.

obeat4cisco Thu, 09/18/2008 - 12:12

I tried the commands you suggested but it had no effect.

The config file is attached. Thanks for all your assistance.


dansullivan Thu, 09/18/2008 - 06:13

First you must be able to pass an RFC1918 compliant ip address to the ASA. ( ) to do this you must set the Zytel into bridge mode. ( ) Then set up your IP either manaually or PPPoE. ( ) Then you may connect to your ASA from another internet based VPN endpoint. Please do not forget to rate if it helped.

obeat4cisco Fri, 09/19/2008 - 12:00

I did get bridge mode configured and the IP successfully passed to the ASA's outside network. I am now able to connect using the VPN client, but cannot ping any addresses on the inside network.

The config file is in a previous post in case that helps.


Anonymous (not verified) Sat, 09/20/2008 - 21:04

obeat4cisco Wed, 09/24/2008 - 11:24

This problem was resolved by the following steps:

- Put the DSL modem/router into bridge mode.

- Reset the ASA to factory defaults.

- Run the Startup Wizard, setting the outside vlan to get an IP via DHCP.

- Run the VPN Wizard.

- Issue two commands:

crypto isakmp nat-traversal

sysopt connection permit-ipsec

Thanks to everyone that contributed!


This Discussion