Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN outbound and NAT Pools

We are using NAT addressing on our internal LAN. In order for someone to use IPSEC to VPN to their home network does the client on our network have to have a NAT address with a static outside address or will it work from a NAT Pool?


Re: VPN outbound and NAT Pools

It depends whether or not remote end supports NAT-T (nat-traversal). This will allow ipsec and PAT to work together.

New Member

Re: VPN outbound and NAT Pools

What we have on our side is the following.

Private IP ----> ASA5520-->NAT POOL-->Internet.

It would be up to the client to make the remote end work. All I have to know is if the client will work through our NAT Pool without making an static entry. Save opening the IPSEC port for that network range. Also would it require any by direction ports to be opened.


Re: VPN outbound and NAT Pools

sorry, was thinking pat

Cisco Employee

Re: VPN outbound and NAT Pools

Hi Randy,

Since the "fixup protocol esp" command is no longer supported with ASA. The only correct way to make ASA IPSec passthrough and to get it to work through Natting is, the headend device should be NAT-T compatible.

In other words, the headend device and the client should support NAT-T and it should be enabled on both of them.

It doesn't matter if you use NAT pool or PAtted ip address, as long as you have NAT-T enabled.

It would work.

*Please rate if helped.


CreatePlease login to create content