Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

question about ASA5505 ipsec with NAT-T (gw-gw)


         I have ASA 5505 with dual-isp working, central and couple of branch offices. One of this branch offices has a ADSL with NAT for isp backup, it means backup ASA interface has a reserved IP and adsl modem use a NAT. All ipsec connections have NAT-T enabled, I'm using preshared keys for them.

When the connection has to be established over backup line behind NAT, it always fails in phase 1 on identity mismatch.

I could not change identity to hostname, because of on ASA is no "ip host " command, suppose that with "ip" missing, host should be mispelled with a "hostname" shortcut :-((

Whats worse, it looks like identity "hostname" is not supported without agressive mode. Agressive mode is not supported for initializing mode, just

for response :-)

Is there any chance how to use a static ip - host name pairs on ASA 5505 ?

I really don wont to use a certificates for a gw-gw IPSEC ...

If You have some idea, I prefered an e-mail contact


Re: question about ASA5505 ipsec with NAT-T (gw-gw)

Hi zdenek,

Thank you for your question.  Sorry for the delay in response but the ASA 5500 is a Cisco Classic product and this forum is for Cisco Small Business Products.

For more information on the ASA 5500 series, please click here.

Best regards,

Cindy Toy

Cisco Small Business Support

Community Manager

Regards, Cindy If my response answered your question, please mark the response as answered. Thank you!
New Member

Re: question about ASA5505 ipsec with NAT-T (gw-gw)

The link you provide is broken.

Re: question about ASA5505 ipsec with NAT-T (gw-gw)


Try the following NetPro  Link

But I have to wonder why the SP doesn't just give you a bridged link into their network, would probably solve your problem, but i guess they do that for some technical reason.

ISAKMP is obviously failing whilst using maybe  LOCAL ID, or Private IP address (NATT process),  I guess when trying  to identify your ASA during phase 1 exchanges, you have probably gone past proposal exchanges, but still stuck at Phase 1 to identify your ASA.

Best approach is to ask the SP if they can alter their CPE device to allow for bridging to your location rather than routing through a NATted device.  Hey but that is obvious.

Give , as Cindy suggested, NetPro a try, hopefully the link above is not broken.

regards Dave

CreatePlease to create content