Cisco Support Community
Community Member

Cisco VPN client from behind ASA5520


Ive setup my ASA with Nat to the external world. All services including SMTP and Web work just fine. I just have a problem with CISCO VPN clients connecting from my network. Internet services are provided by an ISA server which is inside the ASA.

I have some visiting consultants who wish to connect to their own corporate network and fail to do so unless I give them a public IP. Do I need a fixup? I tried the "sysopt connection permit-ipsec" command as opposed to an ACL , but i guess that is only for when setting up VPN on the ASA itself. I have enabled "Inspect PPTP" which is allowing my Windows VPN to work ( go through). Its just my Cisco VPN client that is getting blocked I believe.. probably cuz of L2TP... I dont believe there is an "Inspect L2TP" command. Kindly advise ...

Thanks guys



Re: Cisco VPN client from behind ASA5520

Hi .. you can try allowing UDP port 4500 on your inside and outside access-lists i.e

access-list Inside_Out/Outside_IN permit udp any any eq 500

access-list Inside_Out/Outside_IN permit udp any any eq 4500

access-list Inside_Out/Outside_IN permit tcp any any eq 1000

access-group Inside_Out in interface inside

access-group Outside_IN in interface outside

Assuming the cisco vpn client is configured for NAT transparency ( enabled by default ) -> check from the connection properties->Transport .. then this should allow the IPsec to go through the ASA as UDP 4500 and do the PAT accordingly ..

I hope it helps .. please rate it if it does !!!

Community Member

Re: Cisco VPN client from behind ASA5520

7.0.5 supports multiple ipsec passthrough.

Enhanced IPSEC Inspection

The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.

A new policy-map command inspect ipsec-pass-thru is added to enable this feature.


Here is what i am using to allow raw ipsec and PPTP passthrough.

class-map inspection_default

match default-inspection-traffic


policy-map global_policy

class inspection_default

inspect pptp

inspect ipsec-pass-thru


service-policy global_policy global

CreatePlease to create content