• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 315
  • Last Modified:

remote vpn can't access inside network !!!

Dear ,
i have 2 question

1 --  I'm  connected Remote VPN client took  this is ip but I want access  to  pc inside ( i can't reach to it no ping or any protocol work ! why !!

2--  how I let  when computer connect to Remote VPN client have internet also ( able to make browsing also )

Note :-
from ASA can access ping to this pc
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address

interface Ethernet0/2
 nameif inside
 security-level 100
 ip address

ftp mode passive
same-security-traffic permit intra-interface
access-list REMOTE_SALES_NONAT extended permit ip
access-list out extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool REMOTE_SALES_POOL mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list REMOTE_SALES_NONAT
access-group out in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set REMOTE_SALES_SET esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map REMOTE_SALES_MAP 65535 set transform-set REMOTE_SALES_SET
crypto dynamic-map REMOTE_SALES_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map REMOTE_SALES_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map mymap 1 set security-association lifetime seconds 28800
crypto map mymap 1 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic REMOTE_SALES_MAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet outside
telnet inside
telnet timeout 5

ssh timeout 5
console timeout 0
dhcpd dns
dhcpd address inside
dhcpd enable inside
dhcpd address management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy REMOTE_SALES_POLICY internal
group-policy REMOTE_SALES_POLICY attributes
 dns-server value
 vpn-tunnel-protocol IPSec
username user1 password mbO2jYs13AXlIAGa encrypted
username user1 attributes
 vpn-group-policy REMOTE_SALES_POLICY
 vpn-tunnel-protocol IPSec
tunnel-group REMOTE_SALES_GROUP type remote-access
tunnel-group REMOTE_SALES_GROUP general-attributes
 address-pool REMOTE_SALES_POOL
 default-group-policy REMOTE_SALES_POLICY
tunnel-group REMOTE_SALES_GROUP ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end
ciscoasa# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
  • 4
  • 3
1 Solution
To answer question #2, you will need to enable split tunneling on the firewall,

here's a link to help


I'm not clear on question #1.  Can you or can't you ping the inside pachine.l
memo12345678Author Commented:
i'm pc out side network  when I connect VPN i take this ip i want ping or telnet  to server inside network who have ip but i can't access to this server !!!
memo12345678Author Commented:
and this link u send to me doesn't  work  show this error in page please check this link that u sent to me .

The Page You Have Requested Is Not Available

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

I will resend the link shortly.  Do you have a rule that allows access form the 192:168.x.x vlan to the 10.10.4.x vlan?  I don't see one in your configuration.
memo12345678Author Commented:
so please what i forget to wrote , write to me and write this rule that allow 192.168.x.x access to 10.10.4.x
access list x permit vlan y vlant any any.  do you have those subnets defined as VLAN;s?  It' sjust a basic ACL.  I don't really see 192.168.2.x defined in your network.  Have you tried defining that as a network object, or setting the VPN DHCP to pull from the same pool?


That should be a good link to show you how to enable split tunneling using ASDM
memo12345678Author Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now