VPN usage (port and connection) on ASA 5505

Unanswered Question
Nov 25th, 2009


Here my present situation: I have to allow my partners to connect to my internal network ( My ASA 5505 (connected to my internal network) is connected to Internet behind my provider router on which I have no access to configuration (warranty purpose). My provider router LAN is on network (dmz) with the ip address and my ASA is connected to that router with ip address.

I have attached to this message my actual configuration.

I just would like to know which port I have to make redirect to my provider to allow VPN connection on the ASA (I cannot actually put my provider router in bridge mode)

I have found those one :

ESP - Protocol 50
ISAKMP NAT-Traversal - UDP 4500 (NAT-T)
IPSEC Over UDP - UDP 10000 (Default)
IPSEC Over TCP - TCP 10000 (Default)

Is it correct?

In the other hand, I have tried to connect a cisco vpn client to the ASA with a computer in the dmz (with ip I can establish the connection without any issue but I cannot ping or connect to any computer/service on my internal network.

I have seen ont some forums that in need to type following command line :

crypto isakmp nat-traversal
sysopt connection permit-ipsec

First, is it correct? And, could anyone could explain to me what those commands do?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ricardo Prado Rueda Wed, 12/02/2009 - 09:56


   The information of ports and protocols is correct, you might also want to consider protocol AH (protocol 51)

to be forwarded to your ASA.

   In regards to your second question, the problem you have is with your NONAT configuration. You have the following


access-list interne_nat0_outbound extended permit ip host

   This tells the firewall that the host (a host that is not valid on the configured network on your inside interface)

will not be translated. The same applies to your split-tunnel configuration:

access-list Cisco_splitTunnelAcl standard permit host

   This will tell the VPN client to ONLY encrypt traffic that goes to the host which is not what you are looking for.

   Besides this, as a best practice it is not a good idea to assign addresses from your LAN network to the VPN Client (in your case

192.168.10.X), since this could create ARP issues that would prevent your remote access clients from sending traffic to your LAN.

You could try these changes for your test setup:

ip local pool PoolCnxVPN mask

access-list Cisco_splitTunnelAcl standard permit

access-list interne_nat0_outbound extended permit ip

   Finally, to answer the question about the last two commands:

crypto isakmp nat-traversal  >>> This enables NAT traversal for your remote VPN connections, if more than one client is behind a NAT

device, NAT traversal permits simultaneous connections (using UDP port 4500)

sysopt connection permit-ipsec >>> This permits traffic from an encrypted connection to pass through the firewall without the need of

opening it with an access-group.

   For more information on this and more commands you can check the Command Lookup Tool on the following link:



This Discussion

Related Content