Cisco ASA VPN Probs

I'm having a problem getting my little 5505 to pass VPN traffic into my internal network.  Currently I'm authenticating successfully with the ASA using a Win7 Cisco client ( and the firewall rule shows permit for VPN-Clients in ADSM.  My network is as follows:

- 69.x (Primary Internet)
- 65.x (Backup Internet T1)

- ASA - Both Internet Interfaces above and Internal 10.x network, which tosses to Our 3750 core switch (total of three active interfaces)

- Core 3750 switch routes all traffic out the ASA through a single connection

So I'm connecting in through the primary internet connection using the client on Win7 x64 (I've even tried on an XP client before).  The firewall rule is permitting me through the ASA, I'm getting an IP in the VPN Pool.  I can't ping my router (which should be the 3750 switch), but I figured ICMP may be disabled by default.  I only have one nat rule in place and simple static routes on everything.  I still can't reach anything, ssh, RDP, etc.

Where do I go from here?  How do I get myself on the internal network for RDP purposes?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

can you post the config of Cisco ASA...
is VPN pool ip subnet routed in internal network...
blunted1Author Commented:
The config is as follows on the 5505...  I'll follow up shortly with a quick diagram of the network.  I'm very close, but close isn't good enough :-)

ASA Version 8.2(1)
hostname gatekeeper
name VPN-Clients
interface Vlan2
 backup interface Vlan3
 nameif outside-XXX
 security-level 0
 ip address 69.XXX.XXX.XXX
interface Vlan3
 nameif outside-XXX
 security-level 1
 ip address 65.XXX.XXX.XXX
interface Vlan254
 nameif inside
 security-level 100
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
 switchport access vlan 254
 speed 100
 duplex full
interface Ethernet0/2
 switchport access vlan 3
 speed 100
 duplex full
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside-XXX
dns domain-lookup outside-XXX
dns domain-lookup inside
dns server-group DefaultDNS
access-list 10 standard permit
access-list 10 standard deny any
access-list inbound extended permit ip any any
access-list outside-XXX_access_in extended permit ip VPN-Clients any
pager lines 24
logging enable
logging asdm informational
mtu outside-XXX 1500
mtu outside-XXX 1500
mtu inside 1500
ip local pool XXX-VPN mask
ip local pool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside-XXX) 20 interface
global (outside-XXX) 10 interface
nat (inside) 20
access-group outside-XXX_access_in in interface outside-XXX
router eigrp 1
 no auto-summary
 network 65.XXX.XXX.XXX
route outside-XXX 69.XXX.XXX.XXX 1
route outside-XXX 65.XXX.XXX.XXX 20
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
 network-acl outside-XXX_access_in
http server enable
http inside
snmp-server host inside community XXXXX
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside-XXX_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-XXX_map interface outside-XXX
crypto map outside-XXX_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-XXX_map interface outside-XXX
crypto isakmp enable outside-XXX
crypto isakmp enable outside-XXX
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
 enable outside-XXX
group-policy XXX-Remote internal
group-policy XXX-Remote attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec svc webvpn
 default-domain value
 address-pools value XXX-VPN

tunnel-group XXX-Remote type remote-access
tunnel-group XXX-Remote general-attributes
 address-pool XXX-VPN
 default-group-policy XXX-Remote
tunnel-group XXX-Remote ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
service-policy global_policy global
prompt hostname context
: end
blunted1Author Commented:
Here is a quick overview of the network in question.  The VPN clients come in on 10.10.20.x and are unable to reach clients on 10.10.1.x/24 client subnet.

Where am I going wrong here?


HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

You need a NoNAT rule for the VPN subnet traffic.
access-llist nonat permit ip
access-llist nonat permit ip
access-llist nonat permit ip
access-llist nonat permit ip
access-llist nonat permit ip
nat (inside) 0 access-list NoNAT

  <ip local pool XXX-VPN mask>
and you have the 10.10.20.x network split up. Your pool is using yet you say the inside 3750 router is also and you have the network in between. So if you want to ping, you need a host route
route inside 1

THis is doing nothing since it is not applied by an access group statement.
access-list inbound extended permit ip any any

And in order to ping to/from the ASA to the router, you'll need this:
icmp permit10.0.0.0 inside

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
blunted1Author Commented:

Ok, so let me get this straight...

1.  I need the NoNAT statement for my 10.10.20.x network

2.  I should remove the vlan for 10.10.20.x from my core switch, I can only ping the when I have host plugged into a port that has that vlan anyway

3.  Put a route in place on the ASA route inside 1, so I can ping the host.

4.  Add the ICMP permit line to allow ping traffic.

Did I understand you correctly? The main thing I was missing was the NoNAT statement for traffic to flow properly, right?

Whoops, let me retype that no nat rule:
nat (inside) 0 access-list nonat
right. and if you do your number 2, you dont need #3, cause now you'll probably be pinging or one of the other vlan IP's
blunted1Author Commented:
I updated the config this afternoon and have been successfully connected for hours now.  Works like a charm, thanks!

blunted1Author Commented:
Right on point
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.