question about ASA5505 ipsec with NAT-T (gw-gw)

Unanswered Question
Jun 11th, 2009


         I have ASA 5505 with dual-isp working, central and couple of branch offices. One of this branch offices has a ADSL with NAT for isp backup, it means backup ASA interface has a reserved IP and adsl modem use a NAT. All ipsec connections have NAT-T enabled, I'm using preshared keys for them.

When the connection has to be established over backup line behind NAT, it always fails in phase 1 on identity mismatch.

I could not change identity to hostname, because of on ASA is no "ip host " command, suppose that with "ip" missing, host should be mispelled with a "hostname" shortcut :-((

Whats worse, it looks like identity "hostname" is not supported without agressive mode. Agressive mode is not supported for initializing mode, just

for response :-)

Is there any chance how to use a static ip - host name pairs on ASA 5505 ?

I really don wont to use a certificates for a gw-gw IPSEC ...

If You have some idea, I prefered an e-mail contact

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cindy toy Tue, 09/01/2009 - 09:13

Hi zdenek,

Thank you for your question.  Sorry for the delay in response but the ASA 5500 is a Cisco Classic product and this forum is for Cisco Small Business Products.

For more information on the ASA 5500 series, please click here.

Best regards,

Cindy Toy

Cisco Small Business Support

Community Manager

David Hornstein Sun, 09/13/2009 - 07:09


Try the following NetPro  Link

But I have to wonder why the SP doesn't just give you a bridged link into their network, would probably solve your problem, but i guess they do that for some technical reason.

ISAKMP is obviously failing whilst using maybe  LOCAL ID, or Private IP address (NATT process),  I guess when trying  to identify your ASA during phase 1 exchanges, you have probably gone past proposal exchanges, but still stuck at Phase 1 to identify your ASA.

Best approach is to ask the SP if they can alter their CPE device to allow for bridging to your location rather than routing through a NATted device.  Hey but that is obvious.

Give , as Cindy suggested, NetPro a try, hopefully the link above is not broken.

regards Dave


This Discussion