VPN Connected (5505) - but no access to internal server

Unanswered Question
Aug 2nd, 2007
User Badges:

I can connect to our VPN using VPN Client(IPSEC) and what I want to do is then access a linked called "" on our server. I can ping the when connected to the VPN, but when I try to go to this link, it says page cannot be displayed.

Any ideas? Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dpatkins Thu, 08/02/2007 - 17:31
User Badges:

Good evening,

Do you have an access-list statement that will allow http to the inside or are they all on the same subnet? I am assuming that the is inside. The ASA is a little different beast than the VPN concentrators used to be and you need to check static non-connected routes, nat address configuration and also access-lists. Remember that your endpoint is the outside interface so you will have to tell the ASA that you address pool needs to access port TCP port 80 on the inside. hope this helps some.


kenmuhr12 Thu, 08/02/2007 - 18:02
User Badges:

Hey Dwane, thanks for the response. I dont know if I have http allowed to be accessed. How do I do that? Also I will check our address pool to see if it is allowing Port 80 on the inside.

The is on the inside. It is where our program is and where I want users to connect to.

Another thing that I didn't mention is that I created a VLan with the ipaddress of Im not sure if that is right. Also the server where the program is, I set the ip address manually to and a default gateway as the same. Not sure if thats right but when I go to the link on that server, I can access the program.

Any more help will be greatly appreciated!


acomiskey Thu, 08/02/2007 - 18:17
User Badges:
  • Green, 3000 points or more

And you can ping from the vpn? The ip of the server should not be the same as the vlan on the asa. Change the ip of the server to something else 192.168.2.x and keep the default gateway at

You should not have to worry about an acl entry to allow the traffic. I'm sure you have sysopt conn permit-vpn enabled.

kenmuhr12 Tue, 08/07/2007 - 12:58
User Badges:

Hello All, I posted previously but I have changed som ethings and though it would be better to start new. We put in a ASA-5505 and we are able to connect to the Firewall using a VPN Client. The problem comes into play when I try to access our program that is located on the server. Here is our set up:

- I have the original Vlan1 and VLan2, thats it.

- The default of the ASA is

- Our address pools range from to

- I set our server to ip address to with the default gatewayy to

- If I try to access the server link on another INTERNAL computer, I can access the server and where I want my clients to go.

- If I try from home, I can connect to the VPN CLient and it gives me an ipaddress of, (in the ip pool), but if I try to ping the, it times out.


Should I change the server location to something else? If so, what range to where someone in that - range can access from the outside.

Thanks in advance for all your help. Much Appreciated!!

acomiskey Tue, 08/07/2007 - 13:56
User Badges:
  • Green, 3000 points or more

What are the masks of these 10. networks? Are they all in the same

The vpn client subnet should not be the same as any other subnet inside your asa.

kenmuhr12 Tue, 08/07/2007 - 14:33
User Badges:

The Server is actually ip with mask of

The ip Pools clients use are set to through 50 with same subnet as above (

If that needs to be changed, what should it be?

Thanks in advance!

kenmuhr12 Tue, 08/07/2007 - 15:27
User Badges:

I changed them to different masks. I attached my config so you can take a better look at it. (Changing some ip addresses of course)

Thank You so much for the assistance!

P.S. - By looking at your name - are you a Whitesox fan? If so I am right with yah!

mattiaseriksson Wed, 08/08/2007 - 01:20
User Badges:
  • Bronze, 100 points or more

try to add this command

nat (inside) 0 access-list mrsh_nat0_outbound

The server is in the subnet right?

kenmuhr12 Wed, 08/08/2007 - 06:10
User Badges:

Yes, it is subnet /24.

I will have to try this command later because this is my part time job. I will go on my lunch and let you know if this worked.

Unless there is a way to access it from an external location, ie hyperterminal?

acomiskey Wed, 08/08/2007 - 06:20
User Badges:
  • Green, 3000 points or more

Well, turns out you didn't need to change anything with the subnets. As long as they weren't the same, you're ok. But the change you made is ok too. Most likely when you changed the pool and the associated acl, it removed the nat exemption statement posted above.

Not really a white sox fan, it's just my last name. Unfortunately I don't own any ballparks!

kenmuhr12 Wed, 08/08/2007 - 06:27
User Badges:

So my config I have attached to this forum is ok? And your saying that the command "nat (inside) 0 access-list mrsh_nat0_outbound " should be entered and then it should work?

"Yeah, it would be nice to own a ballpark, sorry about that. "

acomiskey Wed, 08/08/2007 - 06:37
User Badges:
  • Green, 3000 points or more

I think so.

You could clean it up a little by removing these lines which are not in use...

no access-list inside_nat0_outbound extended permit ip host

no access-list Nat_vpn extended permit ip any

no access-list outside_access_in extended permit ip any host

no access-list inside_access_in extended permit ip any any

no access-list inside_access_out extended permit tcp any any

no access-list inside-mrsh standard permit

no access-list PIM_ACCPTREG_ACL extended permit tcp interface outside interface inside eq www

no access-list outside_cryptomap_1 extended permit tcp interface outside interface

kenmuhr12 Wed, 08/08/2007 - 06:42
User Badges:

Cool! I will try that when I get a chance, then I will retry and post results.

Another quick question: Now when I connect to the VPN remotely, I lose internet connection. This never happened before and I don't know if I added or removed something I shouldn't have.

Thanks again. When all is solved I am rating your assistance a 100% ++++++!!!!

acomiskey Wed, 08/08/2007 - 07:20
User Badges:
  • Green, 3000 points or more

Your split tunnel appears to be set up properly except one line. "split-tunnel-policy tunnelspecified"

access-list DefaultRAGroup_splitTunnelAcl extended permit ip

group-policy DefaultRAGroup attributes


split-tunnel-policy tunnelspecified

kenmuhr12 Thu, 08/09/2007 - 06:43
User Badges:

I tried running the command but I still looses connection to the internet when I connect to the VPN Clinet. I attached my most recent config.


acomiskey Thu, 08/09/2007 - 07:02
User Badges:
  • Green, 3000 points or more

Looks ok. What do you have for routes in your vpn client under Status -> Statistics -> Route Details?

You should get under secured routes.

This shouldn't make a difference but you could try...

no access-list DefaultRAGroup_splitTunnelAcl extended permit ip

access-list DefaultRAGroup_splitTunnelAcl standard permit ip

kenmuhr12 Thu, 08/09/2007 - 09:39
User Badges:

I get for under secure routes.

I attached most recent with your changes from the previous post.


acomiskey Thu, 08/09/2007 - 09:51
User Badges:
  • Green, 3000 points or more

Split tunnel is still not working. Under "group-policy DefaultRAGroup attributes" you have "split-tunnel-policy tunnelall", which means do not split tunnel. You need to change that to "split-tunnel-policy tunnelspecified"

group-policy DefaultRAGroup attributes

dns-server value

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl


This Discussion