VPN connection - one user cannot see internal network

Posted on 2008-06-09
Last Modified: 2008-06-10
Need Help! I have one user that can connect to our VPN but cannot see anything on our internal network. User has DSL (speedstream 4100). I have a different user with same setup and works fine. I don't see any error messages in ASDM, but I do see the problem user connect. Thanks, Bill
Question by:whbaxter
  • 4
  • 3
LVL 23

Expert Comment

ID: 21747725
It may be a client issue - reboot for that.
It may be a local firewall/protection suite issue, disable that.
It could be that the VPN server has a different split tunnel setting, but you ruled that out..
Could be the ASA has reached it limit, doubt it, but needed to reboot a few times in the past when not running the latest firmware. Updated the firmware and all is good.
Could be that he is seeing the network, but the application is not working.. Can you ping him?


Author Comment

ID: 21747764
I tried to connect with two different PC's at the users house.
i disabled Windows firewall - don't know if the speedstream has one - i will check that
25 IPSec licenses on the ASA.
could not ping him.
LVL 23

Accepted Solution

debuggerau earned 500 total points
ID: 21747865
do you allow NAT Traversal? Or does the user need a direct public address?

Could be the speedstream, but what about client protection like Norton or other software firewalls.
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 21748049
don't know enough about NAT T to try it. the pc at the users house was taken from our office, so i know that there is client protection enabled.
LVL 23

Expert Comment

ID: 21748672
Depending on your ASA config, Nat traversal will be enabled or not, allowing you to VPN in via a NAT firewalled Client.

Can you disable this client protection, or has it already been eliminated as a cause?

Maybe the clients need to configure port-forwarding on the slipstream?


Author Comment

ID: 21752496
maybe some one can look at my config. i tried to setup another user, and cannot get him to connect. now i have two users that cannot connect and three that can. there could be something wrong with the config, since this is the first ASA i have ever setup.
: Saved


ASA Version 7.2(3) 


hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted



interface Vlan1

 nameif inside

 security-level 100

 ip address 


interface Vlan2

 nameif outside

 security-level 0

 ip address x.x.x.x 


interface Vlan3

 nameif DMZ

 security-level 50

 ip address 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2

 switchport access vlan 3


interface Ethernet0/3



interface Ethernet0/4



interface Ethernet0/5



interface Ethernet0/6



interface Ethernet0/7



passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list VPNTunnel_splitTunnelAcl standard permit any 

access-list inside_nat0_outbound extended permit ip any 

access-list inside_nat0_outbound extended permit ip any 

access-list DMZ_outbound extended permit ip host host 

access-list DMZ_outbound extended permit ip host host 

access-list DMZ_outbound extended permit ip host host 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ip local pool VPNPool mask

no failover

monitor-interface inside

monitor-interface outside

monitor-interface DMZ

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group DMZ_outbound in interface DMZ

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 


service-policy global_policy global

group-policy VPNTunnel internal

group-policy VPNTunnel attributes

 dns-server value 

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value VPNTunnel_splitTunnelAcl

 default-domain value

username sgmikalowsky password c5gLZlklIFf5r9a5 encrypted privilege 0

username sgmikalowsky attributes

 vpn-group-policy VPNTunnel

username mjsandoe password 34yfuhEtoXftzqlf encrypted privilege 0

username mjsandoe attributes

 vpn-group-policy VPNTunnel

username mpconnelly password zWJFUXT7FwuCi1SS encrypted privilege 0

username mpconnelly attributes

 vpn-group-policy VPNTunnel

username whbaxter password eCtuA/0MCMYZ4AXN encrypted privilege 0

username whbaxter attributes

 vpn-group-policy VPNTunnel

username ejhetrick password nJqA9VEnYxnDSCGZ encrypted privilege 0

username ejhetrick attributes

 vpn-group-policy VPNTunnel

tunnel-group VPNTunnel type ipsec-ra

tunnel-group VPNTunnel general-attributes

 address-pool VPNPool

 default-group-policy VPNTunnel

tunnel-group VPNTunnel ipsec-attributes

 pre-shared-key *

prompt hostname context 


: end

asdm image disk0:/asdm-523.bin

no asdm history enable

Open in new window


Author Comment

ID: 21753086
crypto isakmp nat-traversal worked!

but does this pose any security risks?

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now