Answered Question
Sep 24th, 2007

I've just set up a RA VPN on a new ASA5505. I followed documentation from Cisco on getting it set up. I can connect, but I cannot ping anything on the inside. At first I had vpn pool giving out IP's on the inside but I read that this was incorrect. So I assigned a different IP scheme. I'm just not sure how to make it NAT correctly so that I can get to inside IP addresses. If anyone could help, I would appreciate it.


Correct Answer by acomiskey about 9 years 5 months ago

Check the firewall config for...

crypto isakmp nat-traversal

and add it if it is missing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
acomiskey Mon, 09/24/2007 - 10:24

If you could post a config, you would probably get a quick solution. Clean out passwords, public ip's etc.

sonitadmin Mon, 09/24/2007 - 12:12

I've set it so that the vpn pool uses as the IP's. I think where I am running into the problem is the fact that there are two internal IP schemes. There is a 172.20.5 network and a 192.168.1 network. With the way it's set now, I can connect and I get a 172.20.50 address and I can ping the 192.168.1 network but I'm not sure how to go about accessing the 172.20.5 network. This is where I need VPN clients to have access to.

Thanks for any help!

acomiskey Mon, 09/24/2007 - 12:25

access-list inside_nat0_outbound extended permit ip

That should get you to Just make sure that network has a route to the vpn client subnet.

Please rate helpful posts.

sonitadmin Mon, 09/24/2007 - 12:39

I tried that but it didn't work. Could you explain what you mean with "Just make sure that network has a route to the vpn client subnet."

This could be where my problem is.


acomiskey Mon, 09/24/2007 - 12:43

Well, you definitely need the access-list statement I posted above.

Where does sit? If you were sitting on that network, what is your default gateway? Does that gatway know how to route to

If you topology was something like this...

VPN Clients - ASA - -Inside Router -

In this case the inside router would need a route like this

ip route

Unless of course is it's default route.

acomiskey Mon, 09/24/2007 - 12:47

I made a mistake in my original post above. I did correct it. I had 172.25 instead of 172.20.

access-list inside_nat0_outbound extended permit ip

ajagadee Mon, 09/24/2007 - 12:49


After checking all the details posted in previous post by acomiskey.

Also, check and make sure that you have a route on the ASA for the 172.20.5.x and ping the 172.20.5.x IP Address from the ASA.

I hope it helps.



sonitadmin Tue, 09/25/2007 - 12:20

Ok, I entered the access-list inside_nat0_outbound extended permit ip command. I tried pinging the 172.20.5.x network and couldn't get anything. I added a static route on the ASA on the inside port for with the gateway of I could then ping from the ASA and from the VPN client but could still not ping anything else on the network.

What am I missing?

acomiskey Tue, 09/25/2007 - 12:28

So you added this statement?

route inside

That doesn't make sense as the gateway to the network is on the network.

Could you give us a topology from a client on the network all the way to the ASA?

sonitadmin Wed, 09/26/2007 - 04:26

Yes, I added the route inside command above.

PC ( ----Network Switch--(Fiber between two buildings)----DLink(

Hope this helps.

acomiskey Wed, 09/26/2007 - 04:44

Ok, thanks. I still see a problem that the route you added doesn't really make sense. Doesn't the DLink have an address on the network?

sonitadmin Wed, 09/26/2007 - 05:32

Not that I am aware of. I only know of it with the address.

acomiskey Wed, 09/26/2007 - 07:07

If the dlink is a router and connects the two networks it would have 2 addresses.

PC ( ----Network Switch--(Fiber between two buildings)----(

Then your route statment in the ASA would be

route inside 192.168.1.x

sonitadmin Wed, 09/26/2007 - 07:44

Thanks for all of your help.

I needed the route inside 192.168.1.x command.

Evertything appears to be working correctly now.

sonitadmin Thu, 09/27/2007 - 05:20

Ran into another problem this morning. I've tested everything on my end and it works great. Client has a new web server that we are supposed to RDP into once connected to VPN and set up. From my office logged in with our account, I can RDP to the server fine. From a different office, my web developer tries to log in and gets connected fine but can't RDP into the server. Any ideas why it would work from here but not from there?


Correct Answer
acomiskey Thu, 09/27/2007 - 05:23

Check the firewall config for...

crypto isakmp nat-traversal

and add it if it is missing.

sonitadmin Thu, 09/27/2007 - 05:35

It wasn't in there. I added it and it worked. Can you tell me exactly what that command does?

Thanks again for all your help!

acomiskey Thu, 09/27/2007 - 05:43

It enables nat-traversal which allow you to have ipsec esp packets encapsulated in udp. To put it simply, if a vpn client is behind a pat/nat device, ipsec and pat are incompatible, therefore nat-t must be enabled and used. It runs over udp port 4500.


This Discussion