Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN through an ASA 5540 v8


i'm trying to allow a vpn from a client on my internal network to an external server in a third party

i have 2 rules allowing udp from source to destination & destination to source

i can see hits UDP 500 & UDP 4500 on the internal list but nothing on the external acl

when i capture i can see traffic from the destination hitting the asa external interface but there is nothing in the logs

i've tried the sysopt connection permit-vpn command but still nothing and i can't find a document on allowing a vpn through an ASA

can anyone help

thanks to anyone taking the time to read this

greatly appreciated


Re: VPN through an ASA 5540 v8

Do you have NAT-T configured on the ASA?

New Member

Re: VPN through an ASA 5540 v8


Judging from the ports in use the client is using NAT-T. As for seeing hits on the outside ACL I wouldn't expect you would. The clients return traffic would be automatically allowed (that is the purpose of a stateful firewall). The only time you would need an entry in the ACL permitting outside inbound is if the outside initiates the traffic. Which seeing as its a VPN client in use it wont be :) does that make sense?

If the VPN client is still not working it could be something else. Is it just a standard IPsec VPN? Are you able to obtain a packet capture on the clients laptop and post it?



New Member

Re: VPN through an ASA 5540 v8


many thanks for your reply

i've been reaching a similiar conclusion in the past hour or so

unfortunately i can't get a capture on the client as its locked down and i can't get admin rights

as a test i've setup a vpn on my own laptop to the same destination ip with a dummy username and password

i can actually see a return packet from the vpn concentrator so it looks like traffic is making its way from host-concentrator-host

the real host is behind another firewall so tomorrow i'll put my laptop and capture there

i've test the real host from behind a broadband line and it works so i'm wondering it nats are an issue

grateful for your thoughts


New Member

Re: VPN through an ASA 5540 v8

No problem,

As mentioned they same to be communicating using NAT-T based on the port 4500 so they shouldn't have a problem with communicating through NAT devices.

If you do not have any luck tomorrow and are able to get some logs from the client or packet capture somewhere along the line (connect to a hub between the client and switchport and run wireshark or similar??) then post them here and I shall take a look!

Best of luck


New Member

Re: VPN through an ASA 5540 v8



many thanks

CreatePlease login to create content