I am able to authenticate Remote access VPN but  not able to access inside LAN

Posted on 2011-09-08
Last Modified: 2012-05-12
I configure Remote access VPN onASA firewall and able to authenticate but i am not able to access the inside network.I am using one more firewall cisco ASA to protect inside network.these two firewall are in the same network.ASA is for remote access vpn endpoint. and pix is a regular firewall and lan is behind Pix
ASA Version 8.2(1) 
hostname FHFW02
enable password TuoG03LNtol5cyid encrypted
passwd vhSJ2Gjl22YiIWoj encrypted
name ATT-gateway
name fhfw02-ext
name verizonrtr-new
name marketplace-staging
interface Ethernet0/0
 description Out to AT&T ISP
 nameif outside
 security-level 0
 ip address fhfw02-ext 
interface Ethernet0/1
 description inside FHR 10.17.33.x network
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/2
 description inside FHR 10.17.34.x network for users
 nameif inside1
 security-level 100
 ip address 
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address 
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
object-group network FHR-inside-33-network
 description FHR network 10.17.33.x
object-group network FHR-inside-34-network
object-group network abc-mex-network
object-group network PAN-network
object-group network CAT-network
 description CAT Servers 
object-group network BXB-network
 description BXB Internal Network
 network-object host
 network-object host
 network-object host
 network-object host
access-list acl-out extended permit icmp any any 
access-list acl-in extended permit icmp any any 
access-list acl-in extended permit ip any any 
access-list acl-in extended permit udp any any eq snmp 
access-list acl-in1 extended permit icmp any any 
access-list acl-voip-out extended permit ip host host 
access-list acl-voip-out extended permit ip host host 
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside1 1500
mtu management 1500
ip local pool vpnpool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1
nat (inside) 1
nat (inside1) 0 access-list no-nat
nat (inside1) 1
access-group acl-out in interface outside
access-group acl-in in interface inside
access-group acl-in1 in interface inside1
route outside ATT-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http inside
snmp-server host inside community Abc
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sysopt connection tcpmss 1200
crypto ipsec transform-set set2 esp-des esp-md5-hmac 
crypto ipsec transform-set set1 esp-des esp-sha-hmac 
crypto ipsec transform-set set3 esp-aes esp-md5-hmac 
crypto ipsec transform-set set4 esp-3des esp-md5-hmac 
crypto ipsec transform-set set5 esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set set4
crypto dynamic-map outside_dyn_map 60 set reverse-route
crypto map FHR2 60 ipsec-isakmp dynamic outside_dyn_map
crypto map FHR2 interface outside
crypto ca trustpoint localtrust
 enrollment self
 subject-name CN=sslabcfw.
 keypair m0rd0r
 crl configure
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet inside
telnet inside
telnet inside1
telnet timeout 5
ssh outside
ssh inside
ssh inside1
ssh timeout 30
ssh version 2
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
 enable outside
 svc enable
group-policy testvpn internal
group-policy testvpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 default-domain value
username avb password QZTdpUt6Lq39fY7h encrypted privilege 0
username avb attributes
 vpn-group-policy remotevpn
 service-type remote-access
username abc password NYpqubgKNxc6U0bb encrypted privilege 15
pre-shared-key *

tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
 address-pool vpnpool
 default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
class-map Voice-OUT
 match access-list acl-voip-out
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
policy-map VoicePolicy
 class Voice-OUT
service-policy global_policy global
service-policy VoicePolicy interface outside
prompt hostname context 
: end

Open in new window

Question by:sohoniprachi
  • 4
  • 4
  • 4
LVL 35

Expert Comment

by:Ernie Beek
ID: 36505021
So are the firewalls behind each other or are they both on the inside connected to the network and have on the outside their own public ip?

Author Comment

ID: 36505106
they are both on the inside connected to the network and have own public ip
LVL 35

Accepted Solution

Ernie Beek earned 250 total points
ID: 36505427
Ok, first thing. You have a nat exempt using accesslist nonat. I don't see that defined.
Second, do the machines on your lan have a route to the vpn range through the asa?

Expert Comment

ID: 36505837
Create a ACL for nonat

access-list nonat extended permit ip any


Author Comment

ID: 36505957
I used the following command sysopt connection permit-ipsec
 pix ip Firewall
ASA VPN gateway

how should i direct traffic from asa to pix to get access to inside network which is same network.
I have to go through pix as tunnel traffic will have ip address  

Assisted Solution

genie4all earned 250 total points
ID: 36506191
1) You need nonat ACL on your ASA

2) The command sysopt connection permit-ipsec is for version 7.0 and earlier. sysopt connection permit-vpn is for 7.1 and later versions. These commands allow packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance. IPsec tunnels that are terminated on the security appliance are likely to fail if one of these commands is not enabled.

3) PIX should permit VPN traffic to your inside LAN

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.


Author Comment

ID: 36506707
Thank you all.
Its working now. I added the nat rule on ASA
so now vpn ip is nat to and i am able to access inside lan now

Author Comment

ID: 36508648
I've requested that this question be closed as follows:

Accepted answer: 0 points for sohoniprachi's comment http:/Q_27298185.html#36506707

for the following reason:

Its working now
LVL 35

Expert Comment

by:Ernie Beek
ID: 36508649
Hi sohoniprachi,

As far as I can see you solved this using a solution which several of us posted here. So are you sure you closed this and assigned the points correctly?
Just curious.

Expert Comment

ID: 36509139
I Agree with erniebeek
LVL 35

Expert Comment

by:Ernie Beek
ID: 36512656
I would propose a split between ID: 36505427 and ID: 36506191

Expert Comment

ID: 36512727
Thanks Erniebeek.

Moderator, I accept with Erniebeek

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EIGRP Bandwidth 2 42
Move configuration from Cisco 3560 to 3750X 6 42
Some help with Network Design 4 27
inserting an ACL line Cisco IOS XR Software, Version 5.3.3 2 19
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now