ASA5510 remote VPN and local subnets

Posted on 2011-10-10
Last Modified: 2012-06-21
I've been working on a project with an ASA5510. What I wanted to do is give myself remote access to the environment without having to drive all the way to the cabinet. That being said, I'm not a network wonk, I know how to route my way out of a paper bag but that's about it.

Here is the network breakdown:

ASA management 0/0 - /24
ASA Ethernet 0/0 - 72.x.x.x
ASA Ethernet 0/1 -

Layer2 switch is, default route

I've successfully configured the AnyConnect profile/groups, etc. I can ping the gateway but I can't ping anything else on the management network. An example would be the ILO port for my IBM server:, it has been configured with the static IP address, and uses a the default route. While I'm connected to the management vlan (locally), I can ping and access any of the hosts (HTTP and HTTPS) on that subnet but I can't do the same remotely.

My edited running config is below. Any suggestions?

: Saved
: Written by enable_15 at 11:25:58.764 UTC Mon Oct 10 2011
ASA Version 8.4(2) 
hostname core-0
domain-name mine.pvt
enable password xxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
name 72.x.x.x outside-gateway
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 72.x.x.x 
interface Ethernet0/1
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 duplex full
 nameif management
 security-level 100
 ip address 
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup management
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name mine.pvt
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network vpn-network
object network outside-gateway
 host 72.x.x.x
object-group network inside0-nat0
 network-object object vpn-network
object-group network NET-inside0
object-group network management0
access-list outside_access_in extended permit ip any any 
access-list management_access_in extended permit ip any any 
access-list global_access extended permit ip any any 
access-list acl_split-tunnel standard permit 
access-list acl_split-tunnel standard permit 
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu management 1500
mtu inside 1500
ip local pool mine_vpn-pool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (management,outside) source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group management_access_in in interface management
access-group global_access global
route outside outside-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http inside
http management
no snmp-server location
no snmp-server contact
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=mine-fwcore-0
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 3e1f8f4e
telnet timeout 5
ssh management
ssh timeout 15
ssh version 2
console timeout 0
management-access management
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 aes256-sha1 3des-sha1
 enable outside
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
 anyconnect profiles mineClientProfile disk0:/mineclientprofile.xml
 anyconnect enable
group-policy DfltGrpPolicy attributes
group-policy mineGrpPolicy internal
group-policy mineGrpPolicy attributes
 wins-server none
 dns-server value
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl_split-tunnel
 default-domain value mine.pvt
 split-dns value
 split-tunnel-all-dns disable
 address-pools value mine_vpn-pool
 ipv6-address-pools none
  url-list none
  anyconnect firewall-rule client-interface public value outside_access_in
  anyconnect firewall-rule client-interface private value outside_access_in
  anyconnect ask enable default webvpn
username root password xxxxxxxxxxxxxxx encrypted privilege 15
username ME password xxxxxxxxxxxxxx encrypted privilege 0
username ME attributes
 vpn-group-policy mineGrpPolicy
tunnel-group mine_vpn type remote-access
tunnel-group mine_vpn general-attributes
 address-pool (outside) mine_vpn-pool
 address-pool mine_vpn-pool
 default-group-policy mineGrpPolicy
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
: end

Open in new window

Question by:wsani
    LVL 10

    Expert Comment

    At quick glance, it appears that you need to exclude the vpn traffic from the nat commands.

    try something like this:

    access-list nat-zero permit ip
    access-list nat-zero permit ip
    nat (inside)  0 access-list nat-zero
    nat (management) 0 access-list nat-zero


    Author Comment

    thanks for that. Both of nat commands are deprecated. I ran into this earlier while experimenting.
    LVL 10

    Accepted Solution

    Try doing a nat expemption rule through the ASDM GUI.  

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Suggested Solutions

    This article is in response to a question ( here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
    The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now