We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Cisco VPN IPSEC Remote access

flowit asked
Medium Priority
Last Modified: 2012-06-27
Hi Experts
I have setup a VPN to enable users to connect from home using the Cisco client.
The VPN works fine and users can connect to all devices on the LAN behind the cisco ASA 5510.
One problem i have found is users cannot connect to a seperate subnet which is another branch office that has a Site to site VPN link. I want to be able to access the network drives at this LAN/Subnet there's is and the main site is

Do i need to add a route or alter the VPN settings etc

Watch Question

Hi  flowit.

If you have a split tunnel configured you need to verify that exists in your split tunnel ACL and will also need to verify that the remote VPN client pool exists in the site-to-site VPNs encryption domain. You will also need the command "same-security-traffic permit inter-interface" which will allow same security traffic to route in and out the same interface - in this case the outside interface.

Hope this helps.



Can you let me know a couple of things
I dont have command access to the box i am connected using ASDM
i created the VPN remote access using the wizard in the wizard i enable split DNS and showed the inside network. Where would i find that setting in the ASDM?
Also i ticked the box bypass access rules for users etc so i have no manual ACL to edit

Is this wrong to do this?


I don't have much experience with the ASDM and always remove it from the Firewalls I deploy, so can't help you with the ASDM unfortunately - perhaps someone else can help you with the ASDM.

If you post your config (remember to remove sensitive information) I should be able to take a look and let you know what is missing.


Hi Andrewis
Here is my config please help

: Saved
ASA Version 8.2(1)
hostname FSWE-ASA001
domain-name fl*******.local
enable password * encrypted
passwd *
name swedvpngw
name swedvpngw-public
name insidenetwork description Inside_Lan
name UK_Lan
name Helsingborg_LAN description Helsingborg_LAN
interface Ethernet0/0
 nameif outside
 security-level 1
 ip address 62.*.*.* 255.255.*.*
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 timeout 30
 domain-name f*.local
dns server-group *
 timeout 30
 domain-name *
dns-group *
same-security-traffic permit inter-interface
object-group network VPN_Pool
 description VPN Pool
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
access-list outside_access_in extended permit tcp any host swedvpngw-public eq https
access-list outside_1_cryptomap extended permit ip Helsingborg_LAN
access-list outside_1_cryptomap extended permit ip object-group VPN_Pool Helsingborg_LAN
access-list inside_nat0_outbound extended permit ip Helsingborg_LAN
access-list inside_nat0_outbound extended permit ip UK_Lan
access-list inside_nat0_outbound extended permit ip
access-list outside_2_cryptomap extended permit ip UK_Lan
access-list flowvpnusers_splitTunnelAcl standard permit
access-list flowvpnusers_splitTunnelAcl standard permit Helsingborg_LAN
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DHCP_Pool mask
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 dns
static (inside,outside) swedvpngw-public swedvpngw netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_server_GRP protocol ldap
aaa-server LDAP_server_GRP (inside) host
 ldap-base-dn dc=*, dc=local
 ldap-scope subtree
 ldap-naming-attribute samAccountName
 ldap-login-password *
 ldap-login-dn *\administrator
 server-type microsoft
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 62.20.*.*
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 62.7.*.*
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy flowvpnusers internal
group-policy flowvpnusers attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value flowvpnusers_splitTunnelAcl
 default-domain value *.local
username admin password * encrypted privilege 15
tunnel-group 62.*.8.* type ipsec-l2l
tunnel-group 62.*.8.* ipsec-attributes
 pre-shared-key *
tunnel-group 62.*.224.* type ipsec-l2l
tunnel-group 62.*.224.* ipsec-attributes
 pre-shared-key *
tunnel-group flowvpnusers type remote-access
tunnel-group flowvpnusers general-attributes
 address-pool DHCP_Pool
 authentication-server-group LDAP_server_GRP
 default-group-policy flowvpnusers
tunnel-group flowvpnusers ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
service-policy global_policy global
prompt hostname context
: end
asdm image disk0:/asdm-621.bin
asdm location swedvpngw inside
asdm location swedvpngw-public inside
asdm location insidenetwork inside
asdm location UK_Lan inside
asdm location Helsingborg_LAN inside
no asdm history enable

Okay your Remote access VPN split tunnel includes the Helsingborg LAN range so if this is the site you are trying to connect to this is fine. I also see you have the Client VPN range included in your cryptomap so this is also good - you also have "same-security-traffic permit inter-interface"

I would say this config looks good - has the Client VPN range been added ino the encryption domain on the other end of the tunnel?


This has not been done
There is an ASA 5505 at the Helsingborg site
What do i need to do?

Is it ok to have a route to the helsingborg LAN?

Thanks for your quick reply

nope you won't need a route unless there is a router inside your network that needs to know about the Helsingborg LAN. You won't need anything on the Firewall unless you have an overlapping route pointing internally which you don't.

Your Helsingborg site encryption domain ACL should mirror what you have configured in HQ

For example

access-list outside_1_cryptomap extended permit ip Helsingborg_LAN
access-list outside_1_cryptomap extended permit ip Helsingborg_LAN object-group VPN_Pool

I would personally use instead of the object-group on your encryption domain as it will simplify your config.

I apologise.. I didn't realise your VPN Pool was on the same address range as your internal network so your encryption domain should be okay.

In fact you shouldn't even need this line

access-list outside_1_cryptomap extended permit ip object-group VPN_Pool Helsingborg_LAN

I think with what you trying to do and having your client VPN on the same address range as your internal network complicates things as your firewall now has to participate in proxy arp and can say I have never configured my client pools on the same range as any internal segments so I can't comment on how the Firewall will treat this..

I would personally change the VPN client range to a unique subnet and make sure it exists in both of the participating encryption domains.

Perhaps someone else reading can comment further?


I removed this line

access-list outside_1_cryptomap extended permit ip object-group VPN_Pool Helsingborg_LAN

I have changed the DHCP pool to -20 but now i cannot ping anything
How would my clients now get to 192.168.160 and

Can you use any range for the DHCP
do you need a route how does the client get to the network


Unlock this solution and get a sample of our free trial.
(No credit card required)
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.