Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3869
Views
0
Helpful
0
Comments

Traffic does not pass through the IPsec VPN tunnels on the Cisco ASA across a NAT/PAT device

TCC_2
Level 10
Level 10

‎06-22-2009 05:09 PM - edited ‎03-08-2019 06:22 PM

Core issue

Since the Adaptive Security Appliance (ASA) 5500 sits behind a Network Address Translation (NAT)/Port Address Translation (PAT) device, the VPN peers (clients as well as LAN-to-LAN peers) either cannot connect or cannot pass traffic.

Encapsulating Security Payload (ESP) is not compatible with the NAT. When a VPN peer sends an ESP packet that gets NATed on the way, the remote peer discards that packet, assuming it is coming from an unauthorized source.

Resolution

To resolve this problem configure IPSec NAT Transparency on the ASA, VPN clients and other VPN peers. On the ASA, issue the isakmp nat-traversal command.

In addition, make sure that UDP port 500 and 4500 are allowed through the NAT/PAT device.

For more information, refer to IPsec NAT Transparancy.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents