VPN Clients can't access resources on the LAN when connected via VPN

Unanswered Question
Feb 29th, 2008


I have ASA 5505 running IOS 7.2(3) and ASDM 5.2(3). I configured remote access VPN with IP Pool I can connect via VPN to the ASA but I can not access any resource on the LAN ( I couldn't even PING the server on the LAN( Also, I could not launch ASDM via the VPN connection I established.

Does anyone have any idea on what is missing out in my config.

Thanks for your help and time.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
brettmilborrow Fri, 02/29/2008 - 07:53

Can you confirm what your default gateway on the network is?

Is it the firewall internal address?

If not, you need to ensure you have a route configured for the network pointing at your internal ASA interface address.

Besides this, you will not be able to connect to the internal interface of the ASA from a VPN connection the terminates on any other interface. This is not permitted by the ASA.

a.ajiboye Fri, 02/29/2008 - 08:33


The default gateway for the is the ASA Inside Interface IP address ( I created a route like this:

route inside 1

yet I still can't launch ASDM nor able to ssh/TELNET to the ASA. I could not PING ASA inside interface IP address or any node on the network too.

alanajjar Fri, 02/29/2008 - 09:57


Please try to add these commands and check if it works,

access-list 110 permit ip any

group-policy Ideal-PR attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 110

thiese commands will spesify the traffic that will be use the cvpn tunnel.


brettmilborrow Tue, 03/04/2008 - 05:36

split tunneling will not fix this problem. Besides this, I would not suggest applying split tunneling unless you need it, e.g need to allow access to the internet for the client out of local internet link whilst still connected to the VPN.

The reason I say this is because there are risks associated with allowing split-tunneling whereby the client may allow access to your corporate LAN due to the client's local LAN not being secure.

alanajjar Fri, 02/29/2008 - 10:02


also change this access list

access-list inside_nat0_outbound extended permit ip any


access-list inside_nat0_outbound extended permit ip any


brettmilborrow Tue, 03/04/2008 - 06:50

Can you confirm which clients you are testing from?

I took your config and installed it on a spare ASA. It works fine from a windows client, but not from a Mac client.

brettmilborrow Tue, 03/04/2008 - 07:42

Also, it seems you ARE able to access the PIX/ASA internal interface from the outside/other interface. You need to apply the following command:

'management-access inside'

a.ajiboye Fri, 03/07/2008 - 04:55


Thanks for your response. I didn't want to implement Split tunnelling due to potential risks.

I corrected the ACL but still didn't work. I was testing from network.

I added the command "crypto isakmp nat-traversal" from the CLI and I could access the network.

Everything is working fine now. Thank you all for your help.


This Discussion