Need LAN access through Cisco VPN Remote client connected to Cisco ASA 5505

Posted on 2009-03-30
Last Modified: 2012-06-22
I inherited a customer who has a Cisco ASA 5505 as their sole firewall.  I did not change the basic configuration of it.  Using ADSM 6.0 and version 5 of the Cisco VPN client, I'm trying to establish full network connectivity from a remote computer to network resources inside the LAN.  I have used the wizard and followed these directions ( completely.  The VPN policy connects without issue, but I cannot ping any resources within my LAN, including the inside of the 5505 itself.  Ping does work inside on these resources.  I'm using a Sprint Mobile Broadband card for Internet access, so there shouldn't be any "ipsec passthrough" issues on the client side.

I've copied my running config and changed any private information, such as domain names and IP addresses.  What is missing that is blocking connectivity?

I know only the basics when it comes to Cisco IOS configuration...I'm much more familiar with NetScreen, SonicWall, Linksys, etc.  So go easy on me please.  I can certainly enter commands via command line if instructed.  

I also haven't posted a question on EE in several years, so let me know if I'm doing something wrong.  Thanks in advance.

: Saved


ASA Version 8.0(2) 


hostname ASA5505


enable password --------------- encrypted



interface Vlan1

 nameif inside

 security-level 100

 ip address 


interface Vlan2

 nameif outside

 security-level 0

 ip address 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd ------------ encrypted

banner login This is a Private network and is intended only for authorized use.

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS




object-group network outside_block_ads_01

 description doubleclick akamai etc bandwidth wasters


access-list outside_access_in remark Stop ADS sites

access-list outside_access_in extended deny ip inactive 

access-list outside_access_in extended permit tcp any interface outside eq smtp 

access-list outside_access_in extended permit tcp any interface outside eq www 

access-list outside_access_in extended permit tcp any interface outside eq https 

access-list CustomVPN-tunnel_splitTunnelAcl standard permit 

access-list inside_nat0_outbound extended permit ip 

pager lines 24

logging enable

logging asdm informational

logging from-address

logging recipient-address level errors

mtu inside 1500

mtu outside 1500

ip local pool RemoteClientPool

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

static (inside,outside) tcp interface smtp smtp netmask 

static (inside,outside) tcp interface www www netmask 

static (inside,outside) tcp interface https https netmask 

access-group outside_access_in in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

eou allow none

http server enable

http inside

http outside

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

auth-prompt prompt Login AAA LOCAL on ASA5505 

auth-prompt accept Welcome VPN user 

auth-prompt reject Password rejected 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-DES-SHA ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal 30

client-update enable

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet inside

telnet timeout 5

ssh inside

ssh timeout 5

console timeout 15

management-access inside

dhcpd lease 86400

dhcpd domain

dhcpd update dns 

dhcpd option 4 ip


dhcpd address inside

dhcpd dns interface inside

dhcpd lease 86400 interface inside

dhcpd domain interface inside

dhcpd update dns interface inside

dhcpd option 4 ip interface inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 


service-policy global_policy global

tftp-server inside /ciscoasa5505.cfg


 port 444

 dtls port 444

 svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

 internal-password enable

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

group-policy CustomVPN-tunnel internal

group-policy CustomVPN-tunnel attributes

 dns-server value

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list none

 default-domain value

username michael password ------------- encrypted privilege 0

username michael attributes

 vpn-group-policy CustomVPN-tunnel

tunnel-group CustomVPN-tunnel type remote-access

tunnel-group CustomVPN-tunnel general-attributes

 address-pool RemoteClientPool

 default-group-policy CustomVPN-tunnel

tunnel-group CustomVPN-tunnel ipsec-attributes

 pre-shared-key *

tunnel-group-map default-group OldVpnGroup


prompt hostname context 


: end

asdm image disk0:/asdm-602.bin

no asdm history enable

Open in new window

Question by:brown705
  • 2

Expert Comment

ID: 24027095

We had a similar problem connecting the Cisco VPN Client to an ASA 5505.

After alot of messing about we worked out that it was neither the client or the ASA with the problem, but the Netgear DG834 we had providing the ADSL connection.

Version 1, 2 and 3 of the DG834 had similar results, but when we tried V4 it worked absolutly fine.  All DG834s where updated to the latest firmware.

Just throwing it out there.

Expert Comment

ID: 24027118
You do not have split tunneling configured so all your local traffic is routed through the vpn tunnel. you can enable split tunneling by defining specific subnets for which you want to allow access through the tunnel or if your policy is not to allow split tunneling you can enable local access. I am attaching a doc explaining local access.

Accepted Solution

mitrushi earned 250 total points
ID: 24027196
By the way you have an acl defining split tunneling no your config but it is not applied.
access-list CustomVPN-tunnel_splitTunnelAcl standard permit
If you want to enable split tunneling you can aply this list

group-policy CustomVPN-tunnel attributes
  split-tunnel-network-list value CustomVPN-tunnel_splitTunnelAcl


Author Closing Comment

ID: 31564687

Thanks for your help.  I think I activated the split tunneling within the ADSM after I copied the running config.  Enabling that policy did indeed allow local LAN and Internet access with the tunnel connected.  As far as accessing remote resources over the VPN, it works now...and I didn't really change anything other than restarting the client computer again.  I awarded the points to you because of the helpful comments you made about activating the split tunneling.  Thanks.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now