ASA Remote-Access VPN - Unable to reach inside network

Posted on 2008-10-28
Medium Priority
Last Modified: 2012-08-14
We have a Cisco ASA 5510 installed in one of our datacenters that we are using for remote-access VPN connections.  The Cisco VPN Client is able to connect and split tunneling is currently allowing us to use the internet but we are unable to access any of the resources on the "inside" of the ASA.

Our datacenter ip addressing is 10.x.x.x while our offices are 172.x.x.x.  We are unable to access resources in either.

The route details in the VPN client indicate that and are secured routes.
Tunnel details shows that packets are being encrypted but none are being decrypted.

Consoled into the ASA, I am able to ping an address on the inside network.  I am unable to ping any address outside including the address of the connected VPN client.

Pinging from the VPN client seems to be reaching the inside interface however no response is returned.
ICMP echo request from to ID=1024 seq=1536 len=32
ICMP echo request from to ID=1024 seq=1792 len=32
ICMP echo request from to ID=1024 seq=2048 len=32
ICMP echo request from to ID=1024 seq=2304 len=32

Please see the below config for reference.  The route print is also attached.

ASA Version 7.2(4) 
hostname XXXX
domain-name XXXX
enable password XXXX encrypted
passwd XXXX encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address XXX.176.55.187 
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 timeout 30
 domain-name XXX
access-list vpnSplitTunnel standard permit 
access-list vpnSplitTunnel standard permit
access-list inside_nat0_outbound extended permit ip 
access-list inside_nat0_outbound extended permit ip 
pager lines 24
logging enable
logging buffer-size 500000
mtu outside 1500
mtu inside 1500
ip local pool vpnClientPool mask
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
route outside XXX.176.55.190 1
router ospf 24901
 network area 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server vpnUsers protocol radius
aaa-server vpnUsers (inside) host
 key XXX
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map vpnDynamicMap 10 set transform-set ESP-3DES-SHA
crypto dynamic-map vpnDynamicMap 10 set reverse-route
crypto map vpnMap 10 ipsec-isakmp dynamic vpnDynamicMap
crypto map vpnMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
group-policy abc123 internal
group-policy abc123 attributes
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpnSplitTunnel
 default-domain value XXXX
username XXXX password XXXX encrypted privilege 15
tunnel-group abc123 type ipsec-ra
tunnel-group abc123 general-attributes
 address-pool vpnClientPool
 default-group-policy abc123
tunnel-group abc123 ipsec-attributes
 pre-shared-key XXXX
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Question by:BubbaJones82
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22832885
Hello BubbaJones82,
ip local pool vpn_pool mask
tunnel-group abc123 general-attributes
no address-pool vpnClientPool
address-pool vpn_pool
no ip local pool vpnClientPool mask
   As far as I know, ASA can not have loopback interfaces so you can not advertise network to adjacent router. You have to create a route for this VPN network in adjacent router manually.



Author Comment

ID: 22833369
Hello MrHusy,

I should have updated my post.  I saw that error earlier with the x.16.x.x and have already changed it to x.19.x.x.  Thanks for catching it though.  

Another thing I should have clarified is that the ASA has a public IP address on the outside interface.

In the route print I've attached, it shows that the VPN Client is receiving routes to the ASA and traffic is arriving at the ASA and being decrypted.  I just cant access anything on the inside of the ASA.

The sh route on the ASA also shows a route to the VPN Client.

C    216.XXX.XXX.176 is directly connected, outside
S [1/0] via 216.XXX.XXX.190, outside
O E2 [110/20] via, 0:42:23, inside

If I ping the VPN client from the ASA outside interface I don not receive any reply however I can see the decrypted count go up on the VPN Client statistics and the encrypted count go up on the ASA

ping outside
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

sh crypto ispsec sa
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

If  I ping the VPN client from the ASA inside interface I also do not receive any reply and the decrypted cound on the VPN Client statistics does NOT increase.  The encrypted count on the ASA also does not increase.

ping inside
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

Any further suggestions?

LVL 29

Accepted Solution

Alan Huseyin Kayahan earned 2000 total points
ID: 22834795
Add the following
policy-map global_policy
 class inspection_default
  inspect icmp

Try testing with telnet to specific port (i.e 3389) instead ping.

"The sh route on the ASA also shows a route to the VPN Client.

C    216.XXX.XXX.176 is directly connected, outside
S [1/0] via 216.XXX.XXX.190, outside "

What we need is having the following output in router

S[1/0] via,


Author Comment

ID: 22846902
Adding the static route into the adjacent router did the trick.
However, Im going to look into other possible solutions.  OSPF should be advertising that network.  When you connect to the ASA with the VPN Client, a static route is added to the ASA table for the specific host.  Im not sure why OSPF isnt sending this to the adjacent router.  I might possibly have to redistribute or something.  Not totally sure at this point.

Author Closing Comment

ID: 31511013
Thanks for the tip on this.  I struggled with it for days.

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month10 days, 18 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question