VPN Client for Public Internet VPN (non-split) assistance

Unanswered Question
May 8th, 2008
User Badges:

Hi There,

I'm hoping to receive some assistance with an issue I'm currently experiencing. It is related to a non-split VPN setup, the requirement is that VPN clients will be able to access a remote network and the internet via the firewall, in my case a ASA 5520, hence the public IP address for the vpn clients will be one assigned to our network by the ISP and no the vpn user's internet service public IP. I have followed the steps on this article but it is not working for me,


I run clear xlate and clear local after the changes with no luck. Once connected I am unable to access the internet and the remote network from the vpn client. The secured routes that are shown under statistics in the vpn client are

I also tried the split VPN set up and that works fine. When connected I am able to reach the remote network and internet without a problem.

I noticed that under the non-split vpn set up, the VPN clients get assigned an IP and a gateway from the vpn local pool, which is not the case on the split-VPN setup, where the VPN clients get assigned only an IP and not a gateway.

The firewall as mentioned is an ASA 5520, Cisco Adaptive Security Appliance Software Version 8.0(3), Device Manager Version 6.0(3)

See attached the config related to the non-split vpn set up.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
JORGE RODRIGUEZ Fri, 05/09/2008 - 18:31
User Badges:
  • Green, 3000 points or more

config looks fine except!

In your statement, maybe a typo ?

your vpn network ip scheme

ip local pool vpn-pool-2 mask

your vpn network nat statement

nat (outside) 1

should'nt it be

nat (outside) 1

JORGE RODRIGUEZ Sat, 05/10/2008 - 08:58
User Badges:
  • Green, 3000 points or more

Esteban, just following up to see if your problem is resolved.

Once you correct nat (outside) statement to coinside with your vpn network you can place back Tunnel ALL firewall RA configuratiion and your VPN clients will be able to get outbound internet..




egua5261 Sun, 05/11/2008 - 16:55
User Badges:

Hi Jorge,

It was indeed a typo, however not in the running config of the firewall but in the draft one, (which was the one I had attached) I have re-checked and made sure the correct IP range is set in the vpn pool. I confirm I can connect, I get an IP such as and gateway I have tried in two different PCs, one running win XP and the other Win Vista. I'm still not having luck in any of these... Once connected I can't connect to the remote network neither to the internet. I have cleared xlate to make sure the translation information is refreshed but still not luck.

I currently have two different group policies, two tunnel groups, two different vpn pools, one set is used for split vpn, which works very well; the other one is the one for non-split vpn, the one I am having troubles with... would this be an issue?

Also would there be a problem having these two under the same configuration?

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Any more ideas on how to troubleshoot this further?

Best Regards,


JORGE RODRIGUEZ Mon, 05/12/2008 - 22:12
User Badges:
  • Green, 3000 points or more

Hmmmm, ok if you have the no-split tunnel group that does not work properly configured by the book it definatly is not making sence, do you have crypto isakmp nat-traversal 20 enabled in your firewall? as well as acl permitting that vpn pool network access to inside network.Also have you looked at logs when vpn client tries to access internet or connect to inside network.

Can you post an updated sanatized asa config.. strip out public IP information.

egua5261 Tue, 05/13/2008 - 23:41
User Badges:

My mistake. I was trying to access websites via the domain name I have just found that by connecting with the VPN client by the non-split profile I can reach outside IPs, which all comes to a DNS issue as the DNS addresses assigned to the client connection are internal. I'm having problem accessing the internal network, which explains why domain names are not resolving. Most likely due to the ACL that you mentioned. I'm not sure if i will need the crypto isakmp nat-traversal 20, what is this one for?


egua5261 Sun, 05/18/2008 - 19:29
User Badges:


I have finally fixed it. I was missing an entry for the vpn-pool IP range on the nonat access list, (inside_vpn_nonat) acl, which exempts natting to that range from the networks behind the firewall.

Thanks for your help.


JORGE RODRIGUEZ Sun, 05/18/2008 - 20:35
User Badges:
  • Green, 3000 points or more

Esteban, I am glad you have fixed the problem and great you have posted how you resolved it.




This Discussion