Cicsco Software VPN Client connect fails to pass through ASA5505 to PIX515

Unanswered Question
Jun 15th, 2009
User Badges:

I am trying to connect my cisco software vpn client (latest version)from home, behind an ASA5505(v8.2), to my work VPN hosted by a PIX515(v7.2).

(word diagram)


I've attached both logs.

The ASA and the PIX.

The 515 is confirmed to work, if I take the ASA out of the equation the client connects. I have l2l connections on the PIX that were taken out of the log before uploading.

I could set the ASA up as an L2L also, but I really want to understand why I can't get the client to connect if I put them behind an ASA.

I misspoke, I do connect if behind the ASA, and the PIX issues a address from the PIX pool dealer. I can't ping the 192.168.125.x network though, I'm calling it unable to connect.

I tried to run these commands on the ASA:

sysopt connection permit-vpn

crypto isakmp nat-traversal 20

And it seems to accept them, but when I do a show run, the commands are not there. I know these are vital, so if you could help me find out how to fix this, it would be greatly appreciated.

Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Collin Clark Mon, 06/15/2009 - 13:35
User Badges:
  • Purple, 4500 points or more


Do you have an extra public IP on the ASA side? If so, create a full static NAT to the client and try VPN. That's the only way I've ever been able to get the client to traverse a firewall and establish a remote VPN connection. More of a work-around than a fix.

nathanmccoy Mon, 06/15/2009 - 13:50
User Badges:

No, the ASA is my home network with only a single static outside IP assigned to it.

The main reason for my post, and this setup, is that I plan to be shipping the ASA5505 to clients in the field that will still need to be able to connect via VPN client while behind the ASA because they don't have static outside IP addresses.

That's why I didn't just setup an l2l tunnel on the ASA. I need to be certain the cisco vpn client can traverse the ASA to the PIX and back.

This was initially, what I thought would be a simple 'see it works' project that would take about an hour, but has turned into quite the task.

Thanks for the idea though.

Collin Clark Tue, 06/16/2009 - 05:25
User Badges:
  • Purple, 4500 points or more

If you do get this working, I'd appreciate if you could post the fix. Maybe you could open a TAC case on it?

nathanmccoy Tue, 06/16/2009 - 06:20
User Badges:

I know it will work, it's just a matter of fixing what I've done in the ASA config.

Unfotunately I do not have a TAC contract or this would have been solved a week ago.

I used the only other fountain of knowledge available to me, experts-exchange.

If I get the resolution, I will post it here also though. I'm sure I'm not the only NA facing this issue.

nathanmccoy Tue, 06/16/2009 - 09:31
User Badges:

Solution found.

Look back at my configs the PIX and the ASA.

Are you ready?

I entered:

crypto isakmp nat-traversal 20

on the !PIX! and everything works fine.

I knew it would be that command somehow, I just didn't know where I was dogging it up.

There was nothing wrong with the ASA config, well as far as the tunnels went.

Collin Clark Tue, 06/16/2009 - 10:31
User Badges:
  • Purple, 4500 points or more

Can you establish more than one tunnel?

nathanmccoy Tue, 06/16/2009 - 11:44
User Badges:

Yes, I was able to establish multiple tunnels.

I tried it from the ASA here at work, it's on a separate ISP, and on the ASA from my home network.

The one I established here at work received an IP of and the one from the house received an IP of .

Both of these were established in combination with the 15+ static lan 2 lan tunnels that are already in place on the PIX515.

Everything clicks right along.


This Discussion