remote access VPN users

Posted on 2009-04-24
Medium Priority
Last Modified: 2012-05-06
I'm having users starting to call in saying that their cisco vpn client connects, but they cannot get anywhere once connected. I have verified that they are connected, but they can't get to anything on the network. below is my config pertaining to the remote access vpn.

access-list nonat-vpn extended permit ip any DTVPN

access-list split-tunnel extended permit ip DTVPN

ip local pool Remote-Access mask

aaa-server remoteaccess protocol nt
 max-failed-attempts 5
aaa-server remoteaccess host kdc02
 nt-auth-domain-controller kdc02

crypto ipsec transform-set vpn-3des esp-3des esp-md5-hmac
crypto dynamic-map remote-access 20 set transform-set vpn-3des
crypto dynamic-map remote-access 20 set reverse-route

group-policy DTVPN internal
group-policy DTVPN attributes
 wins-server value
 dns-server value
 vpn-idle-timeout 120
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value ad.davey-tree.com

tunnel-group DTVPN type remote-access
tunnel-group DTVPN general-attributes
 address-pool Remote-Access
 authentication-server-group remoteaccess
 default-group-policy DTVPN
tunnel-group DTVPN ipsec-attributes
 pre-shared-key *

Question by:dtadmin
LVL 15

Expert Comment

ID: 24227655
What is the definition of the name DTVPN, in terms of your access-lists?

You may have a NAT-T issue, try with:

isak nat-t 20

Author Comment

ID: 24227681
that is the "name" of my vpn group. The subnet is "".
LVL 33

Expert Comment

ID: 24227708
How are you checking connectivity?    "SHOW IPSEC SA" ?         If yes, then lets start with the basics.  

1) Have you made any modifications that coincide with the reported lack of connectivity?  Any new devices?
2) Is the remote user getting an ip assigned from the IP pool?
3) Can the remote user access via ICMP or even a telnet any host on the inside?  
4) Attempt Step 2 and then watch the logging for dropped packets (ASDM console log or in a syslog).  

Author Comment

ID: 24227749
I am checking connectivity by both ASDM and "sh vpn-sessiondb remote".

The remote user is getting an ip from the correct pool

the remote user is unable to ping or access anything on the inside.

I have added the isakmp nat-t 20. Let me see if that helps at all.

Accepted Solution

nasirsh earned 2000 total points
ID: 24227974
Use this command in the "reverse-route"
crypto dynamic-map vpndynmap 1
set transform-set 3DES-SHA

Hope this helps

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question