Cisco ASA 5505 VPN - How to configure to browse connected network?

Posted on 2008-10-14
Last Modified: 2012-05-05
Hello. I have a Cisco ASA 5505 device that I recently put into place. I have it up and running and users can get to the Internet just fine. I have recently been asked to try to configure it to allow certain users VPN access from home.

I originally configured the VPN through the wizard and that didn't work, so I found a place online that had some examples and I tried to emulate those. I can successfully connect to the VPN now, but I cannot access any of the resources on the network.

My host network is 192.168.121.x and the VPN network is 192.168.122.x. I would like the .122 network to be able to access resources on the .121 network via VPN.

I have attached a copy of the router's config. Where you see <hidden> I have cleared that info.

If someone could take a quick look and see what I might be missing and let me know, that would be great.
Result of the command: "sh run"

isakmp policy 30 is superceded by identical policy 10


ASA Version 7.2(4) 


hostname <hidden>

domain-name <hidden>.local

enable password .<hidden> encrypted

passwd <hidden>.<hidden> encrypted

interface Vlan1

 nameif inside

 security-level 100

 ip address 


interface Vlan2

 nameif outside

 security-level 0

 ip address 71.xx.xx.xx 


interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address dhcp 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

 domain-name <hidden>.local

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

access-list Split_Tunnel_List_ACL remark ****** NAT Access List ******

access-list Split_Tunnel_List_ACL remark ****** Split Tunnel Encrypted Traffic ******

access-list Split_Tunnel_List_ACL standard permit 

access-list outside_access_in extended permit tcp any any eq pcanywhere-data 

access-list outside_access_in extended permit tcp any any eq 5632 

access-list outside_access_in extended permit tcp any any eq 3389 

access-list inside_access_in extended permit ip any any 

access-list privpn_splitTunnelAcl standard permit 

access-list inside_nat0_outside extended permit ip any 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool vpnpool mask

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-524.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outside

nat (inside) 1

static (inside,outside) tcp interface pcanywhere-data pcanywhere-data netmask 

static (inside,outside) tcp interface 5632 5632 netmask 

static (inside,outside) tcp interface 3389 <hidden> 3389 netmask 

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 71.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set myset esp-3des esp-md5-hmac 

crypto ipsec df-bit clear-df outside

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map dynmap 10 set pfs 

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map dynmap 10 set security-association lifetime seconds 86400

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet timeout 5

ssh inside

ssh inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside


dhcpd dns interface inside


ntp server

ntp server source outside prefer

group-policy privpn internal

group-policy privpn attributes

 dns-server value

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Split_Tunnel_List_ACL

 default-domain value pri.local

username <hidden> password <hidden> encrypted

username <hidden> password <hidden>  encrypted

tunnel-group privpn type ipsec-ra

tunnel-group privpn general-attributes

 address-pool vpnpool

 default-group-policy privpn

tunnel-group privpn ipsec-attributes

 pre-shared-key *


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 


service-policy global_policy global

prompt hostname context 


: end

Open in new window

Question by:readydave

Expert Comment

ID: 22713243
What lines did you add or change from the original configuration of the firewall before vpn connectivity was attempted. Could you highlight or copy and paste to a separate doc?
LVL 43

Accepted Solution

JFrederick29 earned 500 total points
ID: 22713284
Give these a shot.

conf t
access-list remote-vpn extended permit ip any

no crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 match address remote-vpn

group-policy privpn attributes
no split-tunnel-network-list value Split_Tunnel_List_ACL
split-tunnel-network-list value remote-vpn
LVL 12

Expert Comment

ID: 22713753
If you're asking about browsing computers in a Windows network, this simply will not work over VPN.
The protocol used to browse computers is called NetBIOS - NetBIOS is a broadcast protocol and broadcasts do not work over VPN - it is impossible to do.
The alternative is to create a mapped drive using IP addresses or DNS names (this uses a different protocol) - but you won't be able to contact a computer just by typing its name and trying to browse it.
Cheers! Let me know if you have any questions!

Author Closing Comment

ID: 31505966
This worked for me. Thank you!

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Destination host unreachable 12 64
Move configuration from Cisco 3560 to 3750X 6 42
PEAP authentication 7 26
Viber-Only Restriction 6 23
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now