Showing results for 
Search instead for 
Did you mean: 

Since installing ASA5505, some VPN clients can not create tunnel



We installed an ASA5505 in a branch office. The ASA5505 is behind a DSL PPOA Slipstream modem/router. This new branch office can create IPSEC tunnel with central office to a PIX506e. The problem: some remote Client VPNs using cable/DSL can not create a tunnel to the 506e anymore, since installing the ASA5505 branch office. The client VPNs can now establish a tunnel using dial up, but not able to create a tunnel using their cable/DSL service. Any suggestions? I have been told that the ASA5505 works with PPOE and not PPOA, yet IPSEC tunnel is established using PPOA.

8 Replies 8


One DSL remote user used to be able to vpn to 506e before. We activated packet debugging on the Cisco 2600 series perimeter router. Packet debugging does not capture the public IP of above user, when she attempts to VPN to the 506e. The problem started when installing a ASA5505 behind a PPOA DSL router in a new branch office. Any suggestions would be appreciated.

Depending upon version try...

isakmp nat-traversal


crypto isakmp nat-traversal

What is the reason for isakmp nat-traversal

or crypto isakmp nat-traversal commands?

Is the above comand to be added to the ASA5505, 2600 perimeter router, or the PIX 506e?


Sorry, should have explained further. That command would go in the 506e if you don't have it already. It allows vpn clients to connect using nat-/pat which allows them to connect behind nat/pat devices. The fact they can connect via dialup but not from cable/dsl is a good indication this may be the problem.

VPN clients were able to connect to the 506e with their DSL/cable service prior to the ASA5505 setup in a new branch office. Some DSL/cable VPN clients are no longer able to connect to the 506e after ASA5505 is able to VPN to 506e. In one instance, packet debuging does not show that one VPN client DSL user's public IP is attempting to enter the perimeter router. All the problems started after initializing the ASA5505.

Private addresses on remote user clients which are as different than private IP of Central Office are able to VPN to 506e. Public IPs and same private network IPs as Central Office are not allowed in. Do you know of a way to work around the above?--Add access lists?

Post a config of your pix and asa on to this site, but first make sure you clean up the sensitive info and make up fictitious info instead.

After removing isakmp nat-traversal from the config of the 506e, remote Client users can now VPN to the network. Problem solved. I have been told otherwise, that the command is needed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers