ASA Remote-Access VPN - Unable to reach inside network

Posted on 2008-10-28
Last Modified: 2012-08-14
We have a Cisco ASA 5510 installed in one of our datacenters that we are using for remote-access VPN connections.  The Cisco VPN Client is able to connect and split tunneling is currently allowing us to use the internet but we are unable to access any of the resources on the "inside" of the ASA.

Our datacenter ip addressing is 10.x.x.x while our offices are 172.x.x.x.  We are unable to access resources in either.

The route details in the VPN client indicate that and are secured routes.
Tunnel details shows that packets are being encrypted but none are being decrypted.

Consoled into the ASA, I am able to ping an address on the inside network.  I am unable to ping any address outside including the address of the connected VPN client.

Pinging from the VPN client seems to be reaching the inside interface however no response is returned.
ICMP echo request from to ID=1024 seq=1536 len=32
ICMP echo request from to ID=1024 seq=1792 len=32
ICMP echo request from to ID=1024 seq=2048 len=32
ICMP echo request from to ID=1024 seq=2304 len=32

Please see the below config for reference.  The route print is also attached.

ASA Version 7.2(4) 


hostname XXXX

domain-name XXXX

enable password XXXX encrypted

passwd XXXX encrypted



interface Ethernet0/0

 nameif outside

 security-level 0

 ip address XXX.176.55.187 


interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 


ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

 timeout 30


 domain-name XXX

access-list vpnSplitTunnel standard permit 

access-list vpnSplitTunnel standard permit

access-list inside_nat0_outbound extended permit ip 

access-list inside_nat0_outbound extended permit ip 

pager lines 24

logging enable

logging buffer-size 500000

mtu outside 1500

mtu inside 1500

ip local pool vpnClientPool mask

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

route outside XXX.176.55.190 1


router ospf 24901


 network area 0



timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server vpnUsers protocol radius

aaa-server vpnUsers (inside) host

 key XXX

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection permit-vpn

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map vpnDynamicMap 10 set transform-set ESP-3DES-SHA

crypto dynamic-map vpnDynamicMap 10 set reverse-route

crypto map vpnMap 10 ipsec-isakmp dynamic vpnDynamicMap

crypto map vpnMap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh timeout 5

console timeout 0

group-policy abc123 internal

group-policy abc123 attributes

 dns-server value

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value vpnSplitTunnel

 default-domain value XXXX

username XXXX password XXXX encrypted privilege 15

tunnel-group abc123 type ipsec-ra

tunnel-group abc123 general-attributes

 address-pool vpnClientPool

 default-group-policy abc123

tunnel-group abc123 ipsec-attributes

 pre-shared-key XXXX


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip 

  inspect xdmcp 


service-policy global_policy global

prompt hostname context 


: end

Open in new window

Question by:BubbaJones82
  • 3
  • 2
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22832885
Hello BubbaJones82,
ip local pool vpn_pool mask
tunnel-group abc123 general-attributes
no address-pool vpnClientPool
address-pool vpn_pool
no ip local pool vpnClientPool mask
   As far as I know, ASA can not have loopback interfaces so you can not advertise network to adjacent router. You have to create a route for this VPN network in adjacent router manually.



Author Comment

ID: 22833369
Hello MrHusy,

I should have updated my post.  I saw that error earlier with the x.16.x.x and have already changed it to x.19.x.x.  Thanks for catching it though.  

Another thing I should have clarified is that the ASA has a public IP address on the outside interface.

In the route print I've attached, it shows that the VPN Client is receiving routes to the ASA and traffic is arriving at the ASA and being decrypted.  I just cant access anything on the inside of the ASA.

The sh route on the ASA also shows a route to the VPN Client.

C    216.XXX.XXX.176 is directly connected, outside
S [1/0] via 216.XXX.XXX.190, outside
O E2 [110/20] via, 0:42:23, inside

If I ping the VPN client from the ASA outside interface I don not receive any reply however I can see the decrypted count go up on the VPN Client statistics and the encrypted count go up on the ASA

ping outside
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

sh crypto ispsec sa
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

If  I ping the VPN client from the ASA inside interface I also do not receive any reply and the decrypted cound on the VPN Client statistics does NOT increase.  The encrypted count on the ASA also does not increase.

ping inside
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

Any further suggestions?

LVL 29

Accepted Solution

Alan Huseyin Kayahan earned 500 total points
ID: 22834795
Add the following
policy-map global_policy
 class inspection_default
  inspect icmp

Try testing with telnet to specific port (i.e 3389) instead ping.

"The sh route on the ASA also shows a route to the VPN Client.

C    216.XXX.XXX.176 is directly connected, outside
S [1/0] via 216.XXX.XXX.190, outside "

What we need is having the following output in router

S[1/0] via,


Author Comment

ID: 22846902
Adding the static route into the adjacent router did the trick.
However, Im going to look into other possible solutions.  OSPF should be advertising that network.  When you connect to the ASA with the VPN Client, a static route is added to the ASA table for the specific host.  Im not sure why OSPF isnt sending this to the adjacent router.  I might possibly have to redistribute or something.  Not totally sure at this point.

Author Closing Comment

ID: 31511013
Thanks for the tip on this.  I struggled with it for days.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now