Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Client VPN through ASA


Does anyone know whats going on here? One of the clients on the network launches a cisco vpn client to an external resource and the client connects and is authenticated but no traffic passes.

PAT is in use on the outside interface.

I have enabled nat traversal and sysopt connection permit-ipsec.



Re: Client VPN through ASA

Hi, it is not you but the owner of the remote vpn server that has to enable nat traversal as it is part of the IKE negotiation between the IPSec peers.



New Member

Re: Client VPN through ASA

HI thanks for the response.

I have recently replaced a Sonicwall with an ASA and the connection worked fine through the Sonicwall.

Any ideas?

Re: Client VPN through ASA

If you only have one client on your LAN you can use IPSec passthrough which is not enabled by default.

In ASA I think the command is inspect ipsec-pass-thru.

A sonicwall has probably all features enabled by default, wouldn't suprise me.

New Member

Re: Client VPN through ASA


When the vpn was established from the client I got the following warnings on the ASA:

regular translation creation failed for protocol 50 src inside:192.X.X.X. dst outside:159.X.X.X

Its related to PAT so I went and put in a static entry for the client so it nats out to its own Public IP and hey presto it worked.

Thanks for your help

Re: Client VPN through ASA

Right -

This is usually set on the Remote server end.

The option - IKE over TCP & Port number is available in the client. there is a UDP option also for this.

The default port for cisco is 10000.

you can find this by inititing a session form the client & typing the following command

show conn local ( ip of the client )

it will show you the connections

New Member

Re: Client VPN through ASA

Hello there, you might want to have a look at this article that explains that you need to create an ACL with ACE in the new verison 8.0 of the ASA IOS to get the traffic flowing!

CreatePlease to create content