Solved: ASA 5505 VPN can't access inside hosts

moo · ‎07-09-2008

I have configured VPN on the 5505 using ASDM and I'm able to connect to the 5505 and the client is also getting an IP-address from the configured pool.

The Cisco VPN client shows an error in the log: AddRoute failed to add a route: code 87

Cisco

kwillacey · ‎07-10-2008

You may need nat traversal turned on. Try adding crypto isakmp nat-traversal 3600

View solution in original post

singhsaju · ‎07-09-2008

Can you ping 10.47.232.1 ?

Also can you paste route print from the vpn client host when vpn is connected.

moo · ‎07-11-2008

No I can't ping anything.

And here is the route -print after connection

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x10003 ...00 0c 29 48 d4 50 ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport

0x10004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.222.101 192.168.222.100 1

85.82.25.170 255.255.255.255 192.168.129.2 192.168.129.130 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.129.0 255.255.255.0 192.168.129.130 192.168.129.130 10

192.168.129.0 255.255.255.0 192.168.222.101 192.168.222.100 10

192.168.129.130 255.255.255.255 127.0.0.1 127.0.0.1 10

192.168.129.254 255.255.255.255 192.168.129.130 192.168.129.130 1

192.168.129.255 255.255.255.255 192.168.129.130 192.168.129.130 10

192.168.222.100 255.255.255.255 127.0.0.1 127.0.0.1 10

192.168.222.255 255.255.255.255 192.168.222.100 192.168.222.100 10

224.0.0.0 240.0.0.0 192.168.129.130 192.168.129.130 10

224.0.0.0 240.0.0.0 192.168.222.100 192.168.222.100 10

255.255.255.255 255.255.255.255 192.168.129.130 192.168.129.130 1

255.255.255.255 255.255.255.255 192.168.222.100 192.168.222.100 1

Default Gateway: 192.168.222.101

===========================================================================

Persistent Routes:

None

kwillacey · ‎07-10-2008

You may need nat traversal turned on. Try adding crypto isakmp nat-traversal 3600

moo · ‎07-11-2008

Unfortunately it didn't help

moo · ‎07-11-2008

Hi, it seems like it helped anyway.

I was focused on just being able to ping the ASA 5505 on the inside network 10.47.232.1 which I still can't, but everything else goes perfect.

Regards Mogens

5220 · ‎07-11-2008

Hi,

Can you add the following lines on the ASA:

access-list inside_nat0_outbound extended permit ip 192.168.222.0 255.255.255.0 10.47.232.0 255.255.255.0

group-policy tunnel_grp_logiware attributes

split-tunnel-policy tunnelall

This will make sure the split-tunneling is not affecting you routing and that NAT 0 is allowed between the inside network and VPN pool.

Please rate if this helped.

Regards,

Daniel

moo · ‎07-11-2008

Hi,

i tried it but it didn't help.

singhsaju · ‎07-11-2008

I think you are missing configuration for Split tunnel . Tunnel your private networks ex 10.47.232.0/24 .

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

HTH

Saju