remote access VPN users

Posted on 2009-04-24
Last Modified: 2012-05-06
I'm having users starting to call in saying that their cisco vpn client connects, but they cannot get anywhere once connected. I have verified that they are connected, but they can't get to anything on the network. below is my config pertaining to the remote access vpn.

access-list nonat-vpn extended permit ip any DTVPN

access-list split-tunnel extended permit ip DTVPN

ip local pool Remote-Access mask

aaa-server remoteaccess protocol nt
 max-failed-attempts 5
aaa-server remoteaccess host kdc02
 nt-auth-domain-controller kdc02

crypto ipsec transform-set vpn-3des esp-3des esp-md5-hmac
crypto dynamic-map remote-access 20 set transform-set vpn-3des
crypto dynamic-map remote-access 20 set reverse-route

group-policy DTVPN internal
group-policy DTVPN attributes
 wins-server value
 dns-server value
 vpn-idle-timeout 120
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value

tunnel-group DTVPN type remote-access
tunnel-group DTVPN general-attributes
 address-pool Remote-Access
 authentication-server-group remoteaccess
 default-group-policy DTVPN
tunnel-group DTVPN ipsec-attributes
 pre-shared-key *

Question by:dtadmin
    LVL 15

    Expert Comment

    What is the definition of the name DTVPN, in terms of your access-lists?

    You may have a NAT-T issue, try with:

    isak nat-t 20

    Author Comment

    that is the "name" of my vpn group. The subnet is "".
    LVL 33

    Expert Comment

    How are you checking connectivity?    "SHOW IPSEC SA" ?         If yes, then lets start with the basics.  

    1) Have you made any modifications that coincide with the reported lack of connectivity?  Any new devices?
    2) Is the remote user getting an ip assigned from the IP pool?
    3) Can the remote user access via ICMP or even a telnet any host on the inside?  
    4) Attempt Step 2 and then watch the logging for dropped packets (ASDM console log or in a syslog).  

    Author Comment

    I am checking connectivity by both ASDM and "sh vpn-sessiondb remote".

    The remote user is getting an ip from the correct pool

    the remote user is unable to ping or access anything on the inside.

    I have added the isakmp nat-t 20. Let me see if that helps at all.
    LVL 4

    Accepted Solution

    Use this command in the "reverse-route"
    crypto dynamic-map vpndynmap 1
    set transform-set 3DES-SHA

    Hope this helps

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    TCP Connection Established 14 55
    VPN Problems 3 39
    Firewall -- detecting ex-owner activity ? 1 31
    Cisco VOIP 7941 6 60
    Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
    Let’s list some of the technologies that enable smooth teleworking. 
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now