Core issue
If two clients behind the same Network Address Translation (NAT) router try to access the PIX/ASA Firewall for VPN access, only the first one gets a working tunnel.
Resolution
You must configure NAT Transparency on the PIX/ASA.
The IPsec NAT Transparency feature introduces support for IPsec traffic to travel through NAT or Point Address Translation (PAT) points in the network and addresses many known incompatabilites between NAT and IPsec.
NAT Transparency uses User Datagram Protocol (UDP) port 4500 in order to encapsulate IPsec packets. By default, PIX/ASA drops all inbound connections that come from the outside. You must open this port in order for NAT Transparency to work.
Issue this command:
Pix#configure terminal
Pix(config)#isakmp nat-traversal
Refer to IPSec NAT Transparency for more information.
NAT Traversal is a feature that is auto-detected by VPN devices. There are no configuration steps for a router that runs Cisco IOS Software Release 12.2(13)T and later. If both VPN devices are NAT Transparency capable, NAT Traversal is auto-detected and auto-negotiated.