asa 5510, vpn remote access wizard -> can't access LAN and inet

Unanswered Question
Apr 3rd, 2008


My asa 5510 config part:

interface Ethernet0/0

description local network interface

nameif localnet

security-level 100

ip address


interface Ethernet0/1

nameif external

security-level 0

ip address x.x.x.20


nat (localnet) 1


route localnet 1

route localnet 1

route localnet 1

I want vpn connect to asa from "localnet" (from network) interface using vpn wizard:

access-list CiscoASA_splitTunnelAcl standard permit any

username vpnuser password xxx encrypted privilege 0

username vpnuser attributes

vpn-group-policy CiscoASA

ip local pool vpnpool

group-policy CiscoASA internal

group-policy CiscoASA attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CiscoASA_splitTunnelAcl

dns-server value

wins-server value

default-domain value

tunnel-group CiscoASA type ipsec-ra

tunnel-group CiscoASA general-attributes

default-group-policy CiscoASA

address-pool vpnpool

tunnel-group CiscoASA ipsec-attributes

pre-shared-key CisCo

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map localnet_dyn_map 20 set pfs group2

crypto dynamic-map localnet_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map localnet_map 65535 ipsec-isakmp dynamic localnet_dyn_map

crypto map localnet_map interface localnet

after it i can connect to asa using cisco vpn client, but i can't access anywhere, no LAN no internet no asa...

How can i acces?

thx for any answers

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
IMCAcustomer Thu, 04/03/2008 - 05:21

after connect vpn client statistics:


received: 0

sent: 22722

Local LAN: disabled

but i check "Allow local LAN access" ...

husycisco Thu, 04/03/2008 - 09:49

Hi Sergey,

Assuming that your isakmp entries are correct (that you can establish connection)

1) Do not use "any" statements in ACLs that define networks, like split tunneling. Issue the following

no access-list CiscoASA_splitTunnelAcl standard permit any

access-list CiscoASA_splitTunnelAcl permit ip

2)issue the following command

crypto isakmp nat-traversal 20

3) There is really no sense in terminating the VPN connection at the "localnet" interface which has the highest security level


IMCAcustomer Thu, 04/03/2008 - 23:06

error in the config, don't look it

Hi Huseyin, i did 1) and 2) and have no effect((

my asa full config in attachmetns, look it pls

husycisco Fri, 04/04/2008 - 03:32


Add the following

access-list inside_na0_outbound permit ip

nat (localnet) 0 access-list inside_nat0_outbound

IMCAcustomer Fri, 04/04/2008 - 06:14

very thanks!!!

after your hepl i can access localLAN

but one problem exist(((

asa device is the gateway to inet for computers from network

how can i through vpn (from IP go to inet through asa?

husycisco Fri, 04/04/2008 - 06:27


Nice to hear that your problem is resolved, and thanks for rating.

I have a question before answering your question. Termianting VPN at inside interface as you do now is not a common practise. Do you have a specific reason for this?


IMCAcustomer Fri, 04/04/2008 - 06:41


i have next reason: my pc have ip from network and default gateway - through it i go to inet, i need go to inet through asa (other inet connection)

husycisco Fri, 04/04/2008 - 13:11

I didnt understand this actually, your inside users can already set the ASA as gateway and connect to internet via it. VPN is usually users which are outside of your infrastructrue.

IMCAcustomer Sun, 04/06/2008 - 20:51

No, between my localnet part and asa's locanet part placed 3 switch and 2 from it has DG, only last switch has DG


This Discussion