Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Traffic does not pass through the IPsec VPN tunnels on the Cisco ASA across a NAT/PAT device

Core issue

Since the Adaptive Security Appliance (ASA) 5500 sits behind a Network Address Translation (NAT)/Port Address Translation (PAT) device, the VPN peers (clients as well as LAN-to-LAN peers) either cannot connect or cannot pass traffic.

Encapsulating Security Payload (ESP) is not compatible with the NAT. When a VPN peer sends an ESP packet that gets NATed on the way, the remote peer discards that packet, assuming it is coming from an unauthorized source.


To resolve this problem configure IPSec NAT Transparency on the ASA, VPN clients and other VPN peers. On the ASA, issue the isakmp nat-traversal command.

In addition, make sure that UDP port 500 and 4500 are allowed through the NAT/PAT device.

For more information, refer to IPsec NAT Transparancy.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:09 PM
Updated by:
Labels (1)