Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco VPN client not working behind ASA Firewall

Greetings All,

I've got an issue which Im not sure about if its my confiuration fault or its something to do with Cisco's ASA Firewall. Network Diagram is attached for your reference.

I have got a couple of users behind Cisco ASA 5510 who use Cisco VPN Client (versions ranging from 3.6 to 4.8). They share a single IP address to Internet. ( I mean they are NATed). Now, they want to create a VPN connection to a PIX acting as VPN server. They are able to successfully create a VPN connection but they cannot ping the servers behind PIX 501. They also cannot access any services behind the PIX.

I tried the above scenario on Cisco routers and Linksys router. That works. But its not working with Cisco ASA.

Facts about the scenario:

I have done the normal NAT configurationa and its working.

They can ping the PIX 501.

They can create a VPN connection.

They CANNOT ping or access servers behind PIX.

Now, the possible reasons that I think are as below:

Something is wrong at Cisco ASA configuration because if I try to connect the PIX 501 from Dial-up, it works fine. It just doesnt works behind the ASA.

There might be some issue with NAT-Traversal. But I dont know should it be configured at ASA or on PIX?

Or simply, ASA doesnt supports Cisco VPN clients on NAT.

I would appreciate someone's help in this matter. Thanks in advance.


Re: Cisco VPN client not working behind ASA Firewall

Hello Haroon,

Add NAT-T support on the 501, isakmp nat-traversal

Also, why not just setup a VPN Tunnel between the ASA and 501?

Hope it helps, and if it does please rate posts!!

New Member

Re: Cisco VPN client not working behind ASA Firewall

Thank for the suggestion,

Actually the problem lies in my customer's ip assignment. They have an IP range of for LAN. They have servers within this range.

Now, they want to create a Disaster Recovery situation. If the main servers are down for some reason they want to make another Cisco VPN to the PIX and connect to secondary servers behind PIX. The problem here is that the secondary servers have the same IP address as primary servers. I understand that this is a very bad network design, but at this stage, I cannot do anything else.