ASA 5505 Remote Access VPN

Unanswered Question
Jul 10th, 2007
User Badges:

Please help... went through the VPN wizard. Can establish a connection but can't access anything on the inside interface. Is there an access list rule that is missing or a sysopt connection statement that is needed?

I've attached the current config.

Thank You

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 07/10/2007 - 09:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Try adding this to your config

"crypto isakmp nat-traversal"



bennettg Tue, 07/10/2007 - 09:30
User Badges:

Thanks John,

I added crypto isakmp nat-traversal to the config. It still is not working correctly. Since adding this statement, when I ping the "inside" interface, I get icmp replies from the "outside" interface.

schakra Tue, 07/10/2007 - 10:21
User Badges:


You need to use access-list to by pass nat

use nat 0 with access-list

I'm sending u a sample config as per ur network

backup ur current config

remove ur vpn config

and use this template just as template


access-list 101 extended permit ip

access-list 102 extended permit ip

ip local pool vpnpool1 mask

nat (inside) 0 access-list 102

group-policy test internal

group-policy test attributes

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 101

sysopt connection permit-ipsec

username test password cisco encrypted privilege 0

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

address-pool vpnpool1

default-group-policy test

tunnel-group test ipsec-attributes

pre-shared-key cisco#123


let me know if it works

pl don't forget to rate this post if it works


bennettg Tue, 07/10/2007 - 10:53
User Badges:

Hi Schakra,

I modified the configuration per your instructions but still can't access anything on the inside interface. Split tunnel works as I can access the Internet when connected. But still have no access to anything on the "inside" interface.

Attached is the new configuration.

Thank You

schakra Tue, 07/10/2007 - 11:11
User Badges:

where is this comman?

sysopt connection permit-ipsec

if not work

also try by removing

nat (inside) 1

r u trying to access other than network,then u may need to explicitly allow them


bennettg Tue, 07/10/2007 - 11:30
User Badges:

I've entered both of the following commands and neither show in the config:

sysopt connection permit-ipsec

sysopt connection permit-vpn

I also tried removing

nat (inside) 1

Still no luck in accessing the subnet on the inside interface.

aalexanian1 Fri, 07/13/2007 - 20:40
User Badges:

I have the same problem entering the command sysopt connection permit-ipsec.

if you do permit-ipsec ?, permit-ipsec is not an option.

I'm trying to do a spoke to spoke vpn solution and without connection permit-ipsec in my spoke asa5505's Pakets are rejected.

schakra Fri, 07/13/2007 - 21:23
User Badges:

The sysopt connection permit-ipsec command is not be displayed in the output of the show running-config sysopt command on ASA version 7.x

but is displayed in PIX version 7.x. ASA only displays sysopt connection permit-vpn.

In PIX version 7.x, the sysopt connection permit-ipsec and in ASA version 7.x, the sysopt connection permit-vpn command resolves the one way traffic issue



This Discussion