Cisco ASA 5505 VPN won't allow access to inside network

Posted on 2009-04-12
Last Modified: 2012-05-06
We have a small business server that we are using a Cisco ASA 5505 with. We have the ASA authenticating with the SBS 2003 server. Problem we are running into is that we can't talk to the inside network after the VPN authenticates. It will prompt for username and password, authenticate and then won't allow internal access. Thought the isakmp nat traversal part would fix it, but that didn't seem to help.

Thanks in advance. Show run is below.
ASA Version 7.2(3)


hostname ciscoasa

domain-name asa.******.local

enable password 8Ry2YjIyt7RRXU24 encrypted



interface Vlan1

 nameif inside

 security-level 100

 ip address


interface Vlan2

 nameif outside

 security-level 0

 ip address X.X.X.X


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name asa.*****.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list RemoteAccess_splitTunnelAcl standard permit 255.255.255


access-list inside_nat0_outbound extended permit ip 19

access-list inside_nat0_outbound extended permit ip any 255.255.255


access-list RemoteVPN_splitTunnelAcl standard permit any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNdhcp mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

route outside X.X.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server WindowsAuth protocol nt

aaa-server WindowsAuth host

 timeout 5

 nt-auth-domain-controller server

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside


dhcpd address inside

dhcpd dns X.X.X.X interface inside

dhcpd domain ******.local interface inside

dhcpd enable inside



class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp


service-policy global_policy global

group-policy RemoteVPN internal

group-policy RemoteVPN attributes

 dns-server value

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value RemoteVPN_splitTunnelAcl

username user1 password KjQCkgbGUCMRig8J encrypted privilege 15

tunnel-group RemoteVPN type ipsec-ra

tunnel-group RemoteVPN general-attributes

 address-pool VPNdhcp

 authentication-server-group WindowsAuth

 default-group-policy RemoteVPN

tunnel-group RemoteVPN ipsec-attributes

 pre-shared-key *

prompt hostname context


: end


Open in new window

Question by:K6465
LVL 13

Expert Comment

ID: 24127960
If you ping some part of your inside address range, how far can you get? At least to the inside interface of the ASA?

I am not as experienced with ASA's as some of the guys here, but am going to take a stab at it being one (if not both) of the following:
1) Security level traffic flow. Traffic cannot flow upwards in security level unless permitted to do so. You'll need to setup ACLs for this.
2) There is no default gateway specified for 'tunneled' users. IE: ip route <next hop> tunneled

Expert Comment

ID: 24128589
remove "nat (inside) 0 access-list inside_nat0_outbound" and try. nat exempt is not needed for remote vpn, asa takes care of it automatically. You can use the packet tracer to identify where the traffic flow is broken and why.
LVL 79

Expert Comment

ID: 24129289
>remove "nat (inside) 0 access-list inside_nat0_outbound" and try. nat exempt is not needed for remote vpn, asa takes care of it automatically.
This is not true. You need to keep the nat (inside) 0 command.

Since your internal network is 192.168.1.x  you could have an ip address overlap. What is the LAN IP address of the client? 90% chance it is also Highly suggest changing the inside network on the ASA if you are going to be supporting many VPN clients.

Expert Comment

ID: 24147995
hey there,

according to your config here's what you have to do:

add these access-lists:

access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list RemoteVPN_splitTunnelAcl standard permit

remove these Access-lists after making sure the new ones were created:

no access-list inside_nat0_outbound extended permit ip
no access-list inside_nat0_outbound extended permit ip any
no access-list RemoteVPN_splitTunnelAcl standard permit any

Accepted Solution

K6465 earned 0 total points
ID: 24238627
Adding this line ended up fixing the issue.

crypto isakmp nat-traversal  20

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now