Remote VPN issue with ASA 5510

Posted on 2011-09-07
Last Modified: 2012-05-12
Need a quick answer on this:

I have a Cisco ASA 5510 with many IPsec remote access vpn users connected through Cisco remote software. We send out our .pcf file and have them install the software on their PC/laptop, etc. This seems to work flawlessly for everyone except one particular company. They can connect to the ASA but can not see anything beyond that.

Their tech is telling me I need to enable: isakmp nat-traversal 20 for it to work, but I don't understand why I should do this when everyone else is perfectly fine.

In case it matters we also use split-tunnel on the remote VPN connections.

Question by:michaelgoldsmith
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 35

Expert Comment

by:Ernie Beek
ID: 36496237
As per:

'nat-traversal' allows a VPN client that's behind a NAT device (router or firewall performing NAT translation) to successfully connect to a PIX via VPN.  NAT-traversal is off by default, so you have to enable it, as you've seen above.  Without nat-traversal, a VPN client that wanted to connect to your PIX would have to have a public IP directly configured on it, such as: a) using a DSL or cable modem connected to your PC, or b) PC connecting via dialup.
LVL 12

Author Comment

ID: 36496480
Makes sense, however I can connect from one of my own remote locations behind an ASA using the remote VPN connection and access the LAN at the other side.
LVL 35

Expert Comment

by:Ernie Beek
ID: 36496714
Just thinking, there is also a Nat option in the client. Might want to have a look at that.
Second, do they have an asa at the other side?
LVL 12

Author Comment

ID: 36496816
Not sure what the device is on the other side. I can inquire.
LVL 35

Accepted Solution

Ernie Beek earned 500 total points
ID: 36496890
It could be an option. On the other hand, would it hurt to enable the Nat traversal? Are there specific reasons you don't want to implement that?

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question