VPN configuration on ASA 5505

Posted on 2008-10-20
Last Modified: 2012-05-05
I am trying to configure VPN on ASA 5505. I can establish a VPN connection, but cannot connect to any hosts inside. I have tried IP address pool outside of LAN IP range, but it doesn't make any difference. What have I missed?
Thank you.
: Saved

: Written by enable_15 at 18:31:25.678 PDT Mon Oct 20 2008


ASA Version 8.0(4) 


hostname asa

domain-name domain.local

enable password 91k//o6Nbagsq/eI encrypted

passwd 2KFQnbNIdI.2KYOU encrypted


name vweb-outside

name vweb-inside


interface Vlan1

 nameif inside

 security-level 100

 ip address 


interface Vlan2

 nameif outside

 security-level 0

 ip address 


interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1

 switchport access vlan 3


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS



 domain-name domain.local

access-list inside_nat_outbound extended permit ip any 

access-list outside_access_in extended permit tcp any host vweb-outside eq www 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool vpnippool2 mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

asdm location vweb-outside inside

asdm location vweb-inside inside

asdm history enable

arp timeout 14400


global (outside) 2 interface

nat (inside) 2 access-list inside_nat_outbound dns

static (inside,outside) tcp vweb-outside www vweb-inside www netmask 

access-group outside_access_in in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

http inside

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

auth-prompt prompt For Authorized Users Only! 

auth-prompt accept Logged in. 

auth-prompt reject Logging failed. 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside


threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server source outside

ntp server source outside prefer

ntp server source outside


 enable inside

 enable outside

 enable dmz

 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1

 svc enable

 tunnel-group-list enable

 internal-password enable

group-policy GroupPolicy internal

group-policy GroupPolicy attributes

 banner value For Authorized Users Only!

 wins-server none

 dns-server value

 dhcp-network-scope none

 vpn-tunnel-protocol svc webvpn

 default-domain value domain.local

 address-pools value vpnippool2


  svc dtls enable

  svc mtu 1406

  svc keep-installer installed

  svc keepalive 60

  svc compression deflate

  svc modules value vpngina

  svc profiles none

  svc ask enable default svc timeout 10

username user1 password eNGvCP8Kw0H3r9XBYrYMsw== nt-encrypted

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

 address-pool vpnippool2

 default-group-policy GroupPolicy

tunnel-group VPN webvpn-attributes

 group-alias SPVPN enable


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 


service-policy global_policy global

prompt hostname context 


: end

Open in new window

Question by:goneclimbing
LVL 28

Accepted Solution

batry_boy earned 500 total points
ID: 22764225
I would still go with a VPN pool of addresses outside the range of your internal network.  You should also add the following statements in addition to that:

ip local pool vpnippool mask
access-list inside_nat0_outbound permit ip any
crypto isakmp nat-traversal
nat (inside) 0 access-list inside_nat0_outbound
group-policy GroupPolicy attributes
 address-pools value vpnippool

See if that helps...if it doesn't fix it, post your running config after you make the above changes so I can check it.

Expert Comment

ID: 22765270
1st what VPN are you referring to - VPN client or WebVPN ?
Regarding client VPN, it indeed lacks few configs as batry_boy wrote.
NOTE The best practice is to assign to VPN clients pool that is different from LAN pool, but
assigning overlapping pools  works  just fine, just make sure IPs used in VPN pool are not used
in the LAN, as it would make LAN IPs unaccessible. When VPN client connects to VPN gateway
it (gateway)  assigns IP from the pool and enters this IP into routing table with bitmask /32 and located at
the interface to which VPN client connects (usually WAN interface) , so if there is identical LAN IP
to be found on inside (LAN) interface it would be listed in route table with bitmask of the entire network
and thus less specific than IP from VPN client pool.

Expert Comment

ID: 22765621

An additional note: Another reason to the problem that one can connect and authenticate but not get any traffic thru the VPN-tunnel can be the fact that the client is behind a firewall that doesnt allow the data traffic to come thru. Then try to use nat-traversal or try to connect thru another port like tcp/10000.

Br Jimmy

Author Comment

ID: 22770668
Thank you batry_boy. It works now. One side note. What do I need to configure single-sign-on (with Windows AD) and split tunnel?

Thanks for your help.

Author Closing Comment

ID: 31508122
Excellent  and accurate answer. Thank you.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now