Remote access VPN with ASA not working when ASA is behind a NAT router

Unanswered Question
Dec 16th, 2009
User Badges:


I can make a remote access vpn with ASA using its outside IP, every thing goes well. As soon as I add static NAT on the router for ASA's outside IP & try vpn with the global IP following error comes on the ASA whereas I can see the translation on the router(udp-500-inside global is traslated to udp-500-inside-local IP)


NAT-T is enabled on the ASA.

Can anyone share their experiences when ASA is behind a NAT box & how ASA can recognize its identity inside IPSEC packets sent by the client.....



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rmujeeb81 Thu, 12/17/2009 - 03:24
User Badges:

Hi Andrew,

On behalf of my colleague I would like to inform you that Router is not configured for firewalling. IPSec traffic is directly coming to internet router and being forwarded to ASA.


rmujeeb81 Thu, 12/17/2009 - 04:18
User Badges:

On the other end , we are using Cisco VPN client and NAT-T is also configured there i.e IPSec over UDP ( NAT/PAT ) option.


yamramos.tueme Thu, 12/17/2009 - 10:40
User Badges:

According to the picture you have several retransmisions. When you use NAT-T the ASA will switch from using UDP 500 to UDP 4500 for the negotiation and to pass traffic.  Make sure that UDP 4500 is not getting blocked.


- Yamil

nedian123 Sat, 12/19/2009 - 13:40
User Badges:

every thing is allowed both on the firewall & the router.  I think there is some identity issue bc router is changing dst ip in the IP header & the IPSEC header is having a public IP not belonging to ASA.....lets see if some one faces similar issues. I am planning to assign public IPs directly on the firewall to avoid problem caused by NAT......


This Discussion