Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Cisco ASA 5505 VPN won't allow access to inside network

Posted on 2009-04-12
Medium Priority
Last Modified: 2012-05-06
We have a small business server that we are using a Cisco ASA 5505 with. We have the ASA authenticating with the SBS 2003 server. Problem we are running into is that we can't talk to the inside network after the VPN authenticates. It will prompt for username and password, authenticate and then won't allow internal access. Thought the isakmp nat traversal part would fix it, but that didn't seem to help.

Thanks in advance. Show run is below.
ASA Version 7.2(3)
hostname ciscoasa
domain-name asa.******.local
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address X.X.X.X
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name asa.*****.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list RemoteAccess_splitTunnelAcl standard permit 255.255.255
access-list inside_nat0_outbound extended permit ip 19
access-list inside_nat0_outbound extended permit ip any 255.255.255
access-list RemoteVPN_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNdhcp mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
route outside X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server WindowsAuth protocol nt
aaa-server WindowsAuth host
 timeout 5
 nt-auth-domain-controller server
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd dns X.X.X.X interface inside
dhcpd domain ******.local interface inside
dhcpd enable inside
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteVPN_splitTunnelAcl
username user1 password KjQCkgbGUCMRig8J encrypted privilege 15
tunnel-group RemoteVPN type ipsec-ra
tunnel-group RemoteVPN general-attributes
 address-pool VPNdhcp
 authentication-server-group WindowsAuth
 default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
 pre-shared-key *
prompt hostname context
: end

Open in new window

Question by:K6465
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 13

Expert Comment

ID: 24127960
If you ping some part of your inside address range, how far can you get? At least to the inside interface of the ASA?

I am not as experienced with ASA's as some of the guys here, but am going to take a stab at it being one (if not both) of the following:
1) Security level traffic flow. Traffic cannot flow upwards in security level unless permitted to do so. You'll need to setup ACLs for this.
2) There is no default gateway specified for 'tunneled' users. IE: ip route <next hop> tunneled

Expert Comment

by:Ilir Mitrushi
ID: 24128589
remove "nat (inside) 0 access-list inside_nat0_outbound" and try. nat exempt is not needed for remote vpn, asa takes care of it automatically. You can use the packet tracer to identify where the traffic flow is broken and why.
LVL 79

Expert Comment

ID: 24129289
>remove "nat (inside) 0 access-list inside_nat0_outbound" and try. nat exempt is not needed for remote vpn, asa takes care of it automatically.
This is not true. You need to keep the nat (inside) 0 command.

Since your internal network is 192.168.1.x  you could have an ip address overlap. What is the LAN IP address of the client? 90% chance it is also Highly suggest changing the inside network on the ASA if you are going to be supporting many VPN clients.

Expert Comment

ID: 24147995
hey there,

according to your config here's what you have to do:

add these access-lists:

access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list RemoteVPN_splitTunnelAcl standard permit

remove these Access-lists after making sure the new ones were created:

no access-list inside_nat0_outbound extended permit ip
no access-list inside_nat0_outbound extended permit ip any
no access-list RemoteVPN_splitTunnelAcl standard permit any

Accepted Solution

K6465 earned 0 total points
ID: 24238627
Adding this line ended up fixing the issue.

crypto isakmp nat-traversal  20

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question