We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Routing Subnets While Using Cisco AnyConnect VPN

hachemp asked
Medium Priority
Last Modified: 2012-08-14
I have recently set up VPN on our network with a 5520 ASA using AnyConnect version 2.3.0254.  I am using split tunnelling.  The inside interface of the ASA is on  Using AnyConnect to VPN from outside the network, I can get to anything on 192.168.8.x, but I can't get to anything on any of our other subnets - for the purposes of this question I'll use 192.168.10.x as an example.  We have a Cisco Catalyst L3 switch ( which acts as a gateway to route traffic between the subnets.  I have static routes on the ASA put in for each of our subnets pointing to, and I have included in the networks to be routed through the VPN tunnel, but I can't seem to access anything on 10.x when connected to the VPN.  I can get to successfully ping to addresses from the ASA directly.  Here's an example of the message I receive in the log when I try to connect to a 10.x address from VPN:  'No translation group found for udp src outside: dst inside:'.  My VPN IP pool is from 8.251-254.  I can't seem to figure out what I am missing to get this to work.  I have posted the config of the 5520 ASA.  Thanks!
ASA Version 8.0(4) 
hostname ptcasa
domain-name xxx.com
enable password encrypted
passwd encrypted
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 
interface GigabitEthernet0/0.1
 no vlan
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address 
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name xxx.com
same-security-traffic permit inter-interface
object-group icmp-type Good-ICMP
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group Good-ICMP 
access-list inside_nat0_outbound extended permit ip 
access-list WWVPN_splitTunnelAcl standard permit 
access-list WWVPN_splitTunnelAcl standard permit 
pager lines 24
logging enable
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNTest mask
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
access-group outside_access_in in interface outside
route outside xxx.xxx.xxx.xxx 1
route inside 1
route inside 1
route inside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server WWDC4 protocol radius
aaa-server WWDC4 (inside) host
 timeout 5
 key xxxxxxxxxxxxxxxxxxxxx
http server enable
http management
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server source inside prefer
 enable outside
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy WWVPN internal
group-policy WWVPN attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value WWVPN_splitTunnelAcl
 default-domain value xxx.com
  url-list value WW
  svc ask none default svc
group-policy DfltGrpPolicy attributes
tunnel-group DefaultRAGroup webvpn-attributes
 group-alias Test disable
tunnel-group WWVPN type remote-access
tunnel-group WWVPN general-attributes
 address-pool VPNTest
 authentication-server-group WWDC4
 default-group-policy WWVPN
tunnel-group WWVPN webvpn-attributes
 group-alias WWVPN enable
tunnel-group WWVPN ipsec-attributes
 pre-shared-key *
tunnel-group WWVPN2 type remote-access
tunnel-group WWVPN2 general-attributes
 address-pool VPNTest
 authentication-server-group WWDC4
 default-group-policy WWVPN
tunnel-group WWVPN2 webvpn-attributes
 group-alias WWVPN2 enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end
asdm image disk0:/asdm-613.bin
asdm location inside
no asdm history enable

Open in new window

Watch Question

Sr. Systems Engineer
Top Expert 2008
access-list inside_nat0_outbound extended permit ip

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Could I modify this to read like this...

access-list inside_nat0_outbound extended permit ip

...to only include 10.0?  I'm just worried that if an end user has their local network on say,, the original ACL you posted will attempt to send that data through the tunnel.  Or am I way off base?  Thanks.


Checked myself, this did what I needed it to.  Thanks.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.