Showing results for 
Search instead for 
Did you mean: 

Unable to send VPN traffic through the ASA


Hi friends,

Just came across an issue with ASA 5540 and PIX 7.1.

There is a VPN client behind the ASA and the ASA is a PAT device. The ASA is just a pass-through device which needs to allow the vpn traffic through it connecting to a remote server.

I have enabled sysopt connection permit vpn, and i have also temporarily allowed all traffic (IP and ICMP) interfaces.

I was able to connect to the remote server through the Cisco VPN client and enter the user credentials. But beyond that, I was not able to do anything. This was happening even after I enabled NAT-T on the firewall (isakmp nat-traversal 20).

I was not able to ping to the remote server. But after I did a one-to-one static NAT for my machine, I was able to ping the server.

So, basically, PAT was the reason for which I was not able to connect, as static NAT resolved the issue. Cisco recommends one solution NAT-T and even that has been tried.

Do you have any suggestions on what else could be tried?

Looking forward to your help in this regard.

Thanks a lot


1 Accepted Solution

Accepted Solutions

No problem, how about a rating?

View solution in original post

13 Replies 13


Which firewall did you enable nat-t on? Nat-t would have to be enabled on remote firewall.


Thanks a lot for your quick response.

I enabled nat-t on the firewall that is close to the VPN client.

Thanks a lot


So did you add it to the remote firewall and did it fix the problem?

Please rate if it helped.

Well, nat-t was enabled on the firewall close to the Cisco VPN client. But i dont know about the firewall on the other end.

But one thing that I wanted to mention that when connecting through a dial up and bypassing the firewall, there were no connectivity issues. Which means that there is an issue with the firewall connected to the VPN client. And the configuration on the other end should be fine then. Right? Not too sure on that.

Not necessarily, you are not PATing when you are dialing up, but I assume you are on the local firewall. If running PAT on local firewall, remote firewall will have to support nat-t. Do you have control over remote pix?

No, I dont have control over remote PIX. But I can tell the admininstrator to enable NAT-T on his remote firewall.

Will get back to you on this.

Thanks a lot


Thanks a lot for your help. The issue was resolved after the remote firewall had NAT-T enabled.


No problem, how about a rating?

I have the same issue. I'm trying to VPN out, behind ASA5510, to a client's VPN server . I can connected and get through the authentication but can't further connect to any other server.

I also try to VPN to another client with SonicWall VPN applicance and I can't even get connected.

I have no control to client's vpn server. Any other option that I can set on our ASA in order to allow local client VPN out to client's vpn server?

Everything works if I connect directly to a Dlink wireless router which is not behind our ASA.

BTW: I did have NAT-T enabled on our ASA.

Any comment would be appreciated. Thanks.


Having NAT-T enabled on our ASA would not help as it is not the device that VPN is terminating on. Make sure that it has UDP 500 and UDP 4500 allowed through it.


Please rate if it helps.



Hmm. I "think" I allow all outgoing traffic.. unless I don't know my ASA blocks those traffice by default.

I found this msg in asa log:

305006: regular translation creation failed for protocol 50 src dst EXT:

Checking for it but.. could someone help? Thanks.

ASA as such doesn't support IPSec passthrough, as "fixup protocol esp" command has been removed.

TO get this to work, you have to make sure the client supports NAT-T and is enabled on the it.

And the rmeote VPN server also supports NAT-T nad has it enabled.

The error message for ESP protocol you are getting is an indication that either the server or client do not support nat-t or its not enabled .

*Please rate if this helped.


I have just found another member say the followings.. what do u think? I haven't try it yet. What I don't understand is what action will ASA take when it inspect the IPSec /PPTP protocol? Any comment will be welcomed.


7.0.5 supports multiple ipsec passthrough.

Enhanced IPSEC Inspection

The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.

A new policy-map command inspect ipsec-pass-thru is added to enable this feature.


Here is what i am using to allow raw ipsec and PPTP passthrough.

class-map inspection_default

match default-inspection-traffic


policy-map global_policy

class inspection_default

inspect pptp

inspect ipsec-pass-thru


service-policy global_policy global

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers