Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


Remote Management over VPN - IP Unkown


I've been thinking of a situation that I will face in the near future that I don't know how to solve.

I have configured a IOS Easy VPN Client to allow customers' to connect to our Project/Test network. To each customer we send a pre-configured ASA5505, acting VPN Client, to establish the tunnel.

However, there will be some problems managing that ASA5505 if the customer have a NAT device set between us and them, let me explain.

If there are no NAT device between the VPN Server and Client, I will be able to see the outside IP of the client when doing the "sh crypto isakmp sa"-command. And from that, I can use ASDM to connect to that IP.

However if there is a NAT device between the VPN Server and Client, when doing the "sh crypto isakmp sa"-command I will see the outside IP of the NAT device instead. So my question is, is there anyway I can find out what the IP is on the outside interface of the VPN Client if there are a NAT device in between?

Note: In some of the cases this is not a problem since we often get assigned IP's to use when we pre-configure the Client. But others want us to use DHCP on the outside leaving us clueless what the IP is.


Posted by WebUser Krishnakant Dixit from Cisco Support Community App

  • AAA Identity and NAC

Re: Remote Management over VPN - IP Unkown

You have to enable NAT-T. NAT traversal is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation (NAT) gateways. Network address translation breaks end-to-end connectivity.  Intercepting and modifying traffic can only be performed transparently  in the absence of secure encryption and authentication. NAT traversal  techniques are typically required for client-to-client networking  applications, especially peer-to-peer and Voice over IP (VoIP) deployments. Many techniques exist, but no single method works  in every situation since NAT behavior is not standardized. Many NAT  traversal techniques require assistance from a server at a publicly routable IP address.  Some methods use the server only when establishing the connection,  while others are based on relaying all data through it, which adds  bandwidth costs and increases latency, detrimental to real-time voice  and video communications.

Most NAT behavior-based techniques bypass enterprise security  policies. Enterprise security experts prefer techniques that explicitly  cooperate with NAT and firewalls, allowing NAT traversal while still  enabling marshalling at the NAT to enforce enterprise security policies.  From this point of view, the most promising IETF standards are Realm-Specific IP (RSIP) and Middlebox Communications (MIDCOM).

For more detail how NAT-T work see the below link

This widget could not be displayed.