VPN Connection thru ASA5500 Problem

Hello Everyone, I've configured and installed a new ASA5500 at home and everything is working except outgoing VPN connections. I run the Cisco VPN client and connect to 'Work' and it appears to build the tunnel, however I cannot access anything on the remote network. An 'ipconfig/all' shows that I've received an IP address on the remote network; just can't get to anything. If I swap my old router back in place, I am able to connect and access all remote network resources. VPN server on the 'Work' side is an ASA5510. I appreciate your time and any help you can provide, Dave.

Here's my current running-config:

Result of the command: "sh run"

: Saved : ASA Version 7.2(2) ! hostname home domain-name domain.net enable password xxxxxxxxxxxxxxxxx encrypted names ! interface Vlan1 nameif inside security-level 100 ip address ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Vlan3 no nameif security-level 50 no ip address ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 speed 100 duplex full ! interface Ethernet0/2 speed 100 duplex full ! interface Ethernet0/3 speed 100 duplex full ! interface Ethernet0/4 speed 100 duplex full ! interface Ethernet0/5 speed 100 duplex full ! interface Ethernet0/6 speed 100 duplex full ! interface Ethernet0/7 speed 100 duplex full ! passwd xxxxxxxxxxxxxxxxxx encrypted ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server xx.xx.xx.xx name-server xx.xx.xx.xx domain-name domain.net pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http xx.xx.xx.xx xxx.xxx.xxx.xxx inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet xx.xx.xx.xx xxx.xxx.xxx.xxx inside telnet timeout 5 ssh xx.xx.xx.xx xxx.xxx.xxx.xxx inside ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address xx.xx.xx.xx-xx.xx.xx.xx inside dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside dhcpd enable inside !

! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum: xxxxxxxxxxxxxxxxxxxxxxxxxx : end

Reply to
Loading thread data ...

On the work firewall enter the command "isakmp nat-traversal 20". You are comming from behind a "real" firewall now that does true NAT/PAT and the work firewal needs to be configured to allow that.

Reply to
Brian V


The problem is not on your side. The Firewall where you connect to must configured with nat traversal. On a cisco box (asa/pix) its like this:

crypto isakmp nat-traversal 20

or on older os's:

isakmp nat-traversal 20


Reply to

"dave" wrote

Enable ipsec-pass-thru:

policy-map global_policy class inspection_default inspect ipsec-pass-thru


formatting link

for details


Reply to
Jens Haase

Jens, please correct me, but with the pass-thru command, you can't have other vpn connections on the outsite interface.

Ok on this example it's not a problem, but for others, i think that's an importand point.

cu ivo

Reply to


You are right about Pix 6.x versions but I am not sure that this also applies to ASA 7.x and 8.x versions. The DocCD does not mention it. I might test it if I find the time. On the other hand his requirement was to connect to work and this might be the only solution as depending on his position I doubt that the VPN Admins will change the setup only because of him.


Reply to
Jens Haase

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.