Cisco ASA Client VPN was working but can no longer access internal network

I have a Cisco ASA 5505 that I had set up with client vpn access using Cisco VPN client.  It was authenticating to a radius server on a Windows domain controller and was working just fine allowing me access to my internal networks without troubles.  I got rid of the domain controller that was providing radius auth and I am the only one using it now anyway, so I changed the VPN to use Local accounts on the ASA for authentication.  I created a local account to use.  I am able to connect to the VPN with the local user credentials and authenticate properly. The problem is, I can no longer access the internal network like I used to.  The only thing I changed was how it authenticates ... from RADIUS to Local.  Did I miss something?  I can't ping any hosts internally.  Again, all I did was change how it authenticates the user.
LVL 1
Steve BantzIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

szichenCommented:
Do you have a firewall between the Internal network and the ASA 5505?
kellemannCommented:
You mentioned that the RADIUS server was also a domain controller. That means it was probably a DNS server as well. Does pinging internal ip addresses work? If so, it is only your name resolution which fails. Changing the group policy on the firewall to point to a valid DNS server should do the trick.
Steve BantzIT ManagerAuthor Commented:
The Asa is the only firewall.  I can't ping any internal ip addresses either.  Before I made the change to the authentication method I could access anything by name or ip.  Now neither works. The DNS server is specified correctly and my client has the correct ip configuration yet no access to the internal network is granted.  Again the only change I made was authenticating to a local database rather than radius.
kellemannCommented:
please post the output from this command (while having a VPN client connected)

packet in inside TCP <internal ip address> 8888 <ip address of VPN client> 80

It should tell us if the internal logic of the firewall forwards the traffic to the client.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve BantzIT ManagerAuthor Commented:
Well, I used the trace as you suggested and figured out that it was trying to NAT to get to the internal network.  I had to put the nonat statement back in and then I was able to get to all IPs and hostnames I needed.  All I did was change the authentication method from RADIUS to Local so I have no idea why it took the nonat statement out.  That kind of bothers me, but that's why you have backups to reference.  Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.