Cisco ASA 5505 - VPN into VLAN

Posted on 2008-11-19
Last Modified: 2012-05-05
Hi all,

I would like to set up our ASA to allow clients to IPSEC VPN into our network, and be assigned to a VLAN based on their group policy.  For instance, office workers should be able to, based on their group assignment, VPN into our office vlan.  Network Admins should be able to VPN into the Network Admin VLAN, and so on.  These VLANs are currently in production (IE they are already used internally).

Here is the scenerio:

vlan's are configured on a 3750 stack.  The ASA is plugged in to a trunk port on the switch.  

Vlan 15: 192.168.15.x, default gateway for this vlan is
vlan 16: 192.168.16.x, default gateway for this vlan is

Vlan 15: server vlan.  Subinterface e0/0.15 on ASA, nameif server.  ASA has an IP on this interface,
Vlan 16: client vlan.  Subinterface e0/0.16 on ASA, nameif client.

default gateway for ASA is pointing outside.  
route is configured on the ASA

ACL's are wide open, permit ip any any, for testing purposes.

A client connects from the outside into the ASA using anyconnect.  They are assigned an IP address of  They then attempt to ping a web server at  The ping is successful.  They attempt to browse to the web server, but nothing happens.  ASA logs shows the following:

Deny TCP (no connection) from to flags SYN ACK on interface client

Doing a packet capture, I can see that the initial client request goes out the server interface (vlan15), but the return packet tries to come in the client interface.  This makes sense from a routing perspective, and asa drops it because the return packet doesn't have a tcp connection created.

Next, I tried editing the group policy for this client to force them to vlan 16, so all traffic should generate out that interface.  Client reconnects to VPN and tries pinging the web server again, but fails.  Log show the following:

Routing failed to locate next hop for UDP from outside: to server:

Again, this makes sense, since the client interface doesn't know how to route to the server network.  

Any ideas on how to get this to work?
Question by:wilsonb162
    LVL 15

    Expert Comment

    You could try a test setup using one of the layer 3 switch vlans as your "inside router"

    you could then try this command in the asa

    route inside x.x.x.x tunneled, where x.x.x.x  represents the inside router, in your case, a vlan that is considered the gateway network - ie.
    This tunnel default gateway will sometimes overcome the vlan routing issues you are having with your asa. I have used this with some success in similiar scenarios as yours
    LVL 1

    Author Comment

    I added the tunneled route as you suggested, but that unfortunately did not help:

    route inside tunneled

    when I establish the VPN session I can still ping the device, but I get the same problem as before:

    Deny TCP (no connection) from to flags SYN ACK on interface client
    LVL 15

    Accepted Solution

    I will have to research this more, but you might want to try assigning a vlan subnet that is different than your production network ip scheme, say
    used nowhere else, for the VPN address pool. Then:
    access-list nonat permit ip any
    (if nonat is in your config)

    make sure you have a route to this network
    LVL 1

    Author Comment

    Unfortunately I was hoping to utilize our existing production networks to place clients on, since we already have internal firewalling setup.  That way we can apply additional security policies for remote access, and keep our internal firewall rules separate.  From what I can see though, the separate VLAN seems to be the recommendation for VPN.  

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
    For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now