ASA: disable ipsec over udp

Unanswered Question
Sep 24th, 2009


I have a question,

How can I configure on the ASA that vpn users (with cisco vpn client) cannot connect to the it with udp.

Cisco says, By default the ipsec over udp is disabled.

But not. I can connect ipsec over udp.

I tried the ipsec-udp disable command on the group policy but nothing changed.

what is the solution?

is it a bug? or I forgot something?

pls help,

thank you


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hegegabor Thu, 09/24/2009 - 14:03

sorry for my english I'm pretty tired :)

but I think you know what I want...

(disable the udp vpn connections)

auraza Mon, 09/28/2009 - 11:38


By default, if there is a UDP device in the middle, ASA will use IPsec over NAT-T, which is UDP 4500, and using the ipsec-udp disable command will not disable that. It will only disable IPSec over UDP over any other port, which is different from NAT-T, though the functionality is essentially the same.

Do you want to use IPSec over TCP instead? If yes, then you could enable that. The document below shows how that can be done. To disable nat-t, you do:

no crypto isakmp nat-t

Please rate if this was helpful

hegegabor Tue, 10/06/2009 - 03:24


Yes I want allow just "IPSec over TCP" in the client for the connection.

but still not works.

I tried "no crypto isakmp nat-t" but not works.

I set the "ipsec-udp disable" on the group policy too but not helped,- i know this is not what I need-

The user still can connect to the vpn, not depend on the transport (I mean enable or disable Transparent tunneling, and udp(NAT/PAT) or TCP is checked.)

in the cisco vpn client.

What is the solution?

Thank you.

auraza Tue, 10/06/2009 - 05:55


Please can you paste the output of the following here:

show run all crypto

show run all group-policy

show run all tunnel-group

In addition to that, please can you attach the profile file from the VPN client as well?

hegegabor Tue, 10/06/2009 - 07:00


all settings is in the attachment.

This is an asa5520 device.

The user with this configuration can connect but I want that the user can connect only with this configuration:

[client file]





hegegabor Wed, 10/14/2009 - 07:02

Now it works, not let user use ipsec over udp, but I change nothing, what is important.

I think there is something problem with the refreshing.

now, I set the "crypto isakmp nat-traversal 20" and not let the user use ipsec over udp (NAT/PAT), but would have had to..



This Discussion