Enable NAT−Traversal (#1 RA VPN Issue)
NAT−Traversal or NAT−T allows VPN traffic to pass through NAT or PAT devices, such as a Linksys
SOHO router. If NAT−T is not enabled, VPN Client users often appear to connect to the PIX or ASA without
a problem, but they are unable to access the internal network behind the security appliance.
Note: With IOS 12.2(13)T and later, NAT−T is enabled by default in IOS.
Here is the command to enable NAT−T on a Cisco Security Appliance. The 20 in this example is the
keepalive time (default).
PIX/ASA 7.1 and earlier
pix(config)# isakmp nat−traversal 20
·
PIX/ASA 7.2(1) and later
securityappliance(config)# crypto isakmp nat−traversal 20
·
Note: This command is the same for both PIX 6.x and PIX/ASA 7.x.

————————————————————————————————————-

Enable ISAKMP Keepalives
If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN−to−LAN VPN tunnels and
LAN−to−LAN tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint
monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes
unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN
endpoints must support them.

Use these commands to configure ISAKMP keepalives on the PIX/ASA Security Appliances:
Cisco PIX 6.x
pix(config)# isakmp keepalive 15
¨
Cisco PIX/ASA 7.x, for the tunnel group named 10.165.205.222
securityappliance(config)# tunnel−group 10.165.205.222
ipsec−attributes
securityappliance(config−tunnel−ipsec)# isakmp keepalive
threshold 15 retry 10

Verify Crypto Map Sequence Numbers
If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very
important. The sequence number of the dynamic crypto map entry must be higher than all of the other static
crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those
peers fail.
Here is an example of a properly numbered crypto map that contains a static entry and a dynamic entry. Note
that the dynamic entry has the highest sequence number and room has been left to add additional static entries:
crypto dynamic−map cisco 20 set transform−set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.16.77.10
crypto map mymap 10 set transform−set myset
crypto map mymap 60000 ipsec−isakmp dynamic cisco
Disable XAUTH for L2L Peers
If a LAN−to−LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the
LAN−to−LAN peer is prompted for XAUTH information, and the LAN−to−LAN tunnel fails.
Note: This issue only applies to Cisco IOS and PIX 6.x. Because it uses tunnel−groups, PIX/ASA 7.x is not
affected by this issue.
Use the no−xauth keyword when you enter the isakmp key, so the device does not prompt the peer for
XAUTH information (username and password). This keyword disables XAUTH for static IPSec peers. Enter a
command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:
router(config)# crypto isakmp key cisco123 address
172.22.1.164 no−xauth