VPN Clients can't access internal LAN

Unanswered Question
May 30th, 2008
User Badges:

Hello - I have seen a few other threads on this issue, but can't seem to fix mine. I have a ASA 5520. My VPN clients can connect, they get a DHCP address from our internal server no problem. I can can ping and connect to the VPN clients from our LAN, but the clients can not ping me or anything else on the LAN. The clients are connecting ipsec-ra. I know I must be missing something simple here. Here is my config. Any help would be great

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Fri, 05/30/2008 - 07:01
User Badges:
  • Green, 3000 points or more

You are missing a nat exemption acl entry for you vpn client pool(

access-list nonat extended permit ip

access-list nonat extended permit ip

You do have this entry..

access-list NONAT extended permit ip any

but you cannot have 2 nat exemption acl's, so you can get rid of that one.

no access-list NONAT extended permit ip any

adcorbett_2 Sun, 06/01/2008 - 09:56
User Badges:

That was it. Thanks!

acomiskey - dude - for as many times as you have helped me out, if you are ever in Massachusetts, let me know. I owe you!


This Discussion