Showing results for 
Search instead for 
Did you mean: 

vpn client with no nat

i have a 5510 with a working VPN but discovered that anyone connecting from a public IP can connect to VPN but can't go anywhere.

so if i have say a linksys wifi on my cable modem and a private IP i can connect no problem. but if i'm on like a verizon data card which gives me a public IP i can connect to VPN but receive the below errors in my asa logs and can not reach anything on the network.

6    22:44:44        166.*.*.35    500    68.*.*.41    500    Built inbound UDP connection 390865 for Outside:166.*.*.35/500 (166.*.*.35/500) to identity:68.*.*.41/500 (68.*.*.41/500)

6  Group = RA-yo, IP = 166.*.*.35, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

i've attached my current asa config for reference. What do i need added to allow remote ends without a nat device to also work?

Cisco Employee

You might want to enable IPSEC over TCP and see if they are able to connect with TCP as the transport instead.

On the ASA: crypto isakmp ipsec-over-tcp port 10000

On the VPN Client: go to the Transport tab, and choose: IPSec over TCP, and TCP Port: 10000

Hope that helps.


i completed the steps as you described which got me closer. I can now ping devices on the network and resolve dns. however RDP connections for example do not go through fully.

also can't access email over 443 note the below errors.

do i need to make any firewall changes or such?

6    Jan 30 2011    18:28:54    443    57604    Deny TCP (no connection) from to flags ACK  on interface Outside

6    Jan 30 2011    18:28:58   443    57604    Deny TCP (no connection) from to flags RST ACK  on interface Outside

thanks for the help


From the " Deny TCP (no connection)" message it looks like the initial three way handshake did not occur on this interface. Is there another route for your RDP server or email server that the client might be taking for the connection to get established? (take a look at your network connections for additional network interfaces and also take a look at the 'route PRINT' output of the connected client)



when i do this connection i have my ethernet unplugged, wifi disabled.

all i have is an at&t wireless connection which gives me an external non-nat IP.

as i mentioned i can ping and resolve dns while on the vpn.

if i try to connect on say webmail. which properly resolve the internal IP.

these happen in the logs within a second of each other

Built inbound TCP connection 873391 for Outside: ( to Outside: ( (vpnuser)

Teardown TCP connection 873344 for Outside: to Outside: duration 0:00:38 bytes 6946 TCP Reset-O (vpnuser)

Content for Community-Ad