ASA 5505 VPN Client with 3560

Posted on 2010-09-15
Last Modified: 2012-06-22
I have three gateways on my corporate LAN, and have been using local ROUTE statements to allow access to the various connected subnets.  To simplify my life, I have added a Cisco 3560 to take care of the routing to the gateways.  All clients computers will use the 3560 as their default gateway, and have no extra ROUTE statements.  The 3560 will be connected to each gateway by a /30 subnet (I'm using a /29 for testing).

Here is my test setup:

(Cisco VPN Clients) <----> (Internet) <----> (ASA 5505 : inside- <----> (vlan2- : Cisco 3560 : vlan5- <----> Client Computers

There is a DNS server on, and a PC on
The VPN Client profile assigns an address from Test-Pool (10.50.215-
I am PATting to the inside interface.
I am allowing split-tunneling to and

With this config, I can connect to everything on the subnet.  How do I now allow access to the subnet?

: Saved
ASA Version 8.2(1) 
hostname ma-asa5505-01
domain-name test.local
enable password xxx encrypted
passwd xxx encrypted
name VPN-Client-Subnet description VPN Clients
name A- description test LAN
name A- description ASA 5505 to 3560
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address w.x.y.z
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name test.local
object-group network MA-VPN-Access-Subnets
 network-object A-
 network-object A-
access-list MA-Test_splitTunnelAcl standard permit A- 
access-list MA-Test_splitTunnelAcl standard permit A- 
access-list inside_nat0_outbound extended permit ip A- 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Test-Pool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
nat (outside) 10 VPN-Client-Subnet outside
route outside 1
route inside A- 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WinNTAuth protocol nt
aaa-server WinNTAuth (inside) host
aaa-server Win2K8-RADIUS protocol radius
aaa-server Win2K8-RADIUS (inside) host
 key xxx
 radius-common-pw xxx
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa local authentication attempts max-fail 3
http server enable
http A- inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca certificate map DefaultCertificateMap 10
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet A- inside
telnet timeout 5
ssh A- inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address inside
dhcpd dns interface inside
dhcpd lease 86400 interface inside
dhcpd domain test.local interface inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
 enable outside
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 banner value Welcome to test.
 banner value 
 banner value Access is permitted by authorized users only.  All access is monitored and logged.  Any unauthorized use of this connection will be prosecuted 

to the fullest extent of the law.
 dns-server value
 vpn-idle-timeout none
 vpn-tunnel-protocol l2tp-ipsec 
 default-domain value test.local
  url-list value MA-Internal
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  svc ask enable default webvpn timeout 7
  customization value DfltCustomization
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
  svc keep-installer installed
group-policy MA-Test internal
group-policy MA-Test attributes
 dns-server value
 vpn-tunnel-protocol IPSec svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list none
 default-domain value test.local
username bob password xxx encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group Win2K8-RADIUS
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group Win2K8-RADIUS
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias AnyConnect enable
tunnel-group MA-Test type remote-access
tunnel-group MA-Test general-attributes
 address-pool Test-Pool
 default-group-policy MA-Test
tunnel-group MA-Test ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 

: end
asdm image disk0:/asdm-621.bin
asdm location VPN-Client-Subnet inside
no asdm history enable

Open in new window

Question by:LimeRidge29
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Accepted Solution

mpickreign earned 250 total points
ID: 33686739
It looks like you pretty much have it, you just have to disable nat on the return traffic from the A- subnet.

Add this line.

access-list inside_nat0_outbound extended permit ip A-
pager lines 24

Save the config and clear the translation table. (clear xlate)

Author Comment

ID: 33687484
Thank you, mpickreign!  I have only just joined EE today, and your solution has made it worthwhile already.

I can access the subnet now, but only a few addresses.  When I posted the question, I was testing the VPN Client from the office, via an AT&T broadband adapter.  Now I am at home accessing a Windows box via RDC from a Mac, both behind a PIX 515.  I'll have to test further tomorrow.  I should be OK from here.  Thanks again.

Expert Comment

ID: 33687834
You may need to enable nat traversal on the ASA.

crypto isakmp nat-traversal 120

Author Comment

ID: 33690214
Simple answer -- only the few devices in my test setup are using as their DG.  All is well now.

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question