vpn client connected to ASA but cannot do anything after connected.HELP!

Unanswered Question
Aug 1st, 2008


I am struggled with this for last three days. I have a very basic case. My client wants to connect to my ASA using Cisco VPN client and connect to one host in my network ( This VPN configuration works and let me connect using Cisco VPN client. but I cannot go anywhere else after connected.

I cannot PING from client and cannot run any protocols (telnet, ftp etc.) to my host (192.,168.1.51). BUT I can run these protocols while I am on the inside network without VPN.

I verify the route exists in my core router (

“Ip route”

ASA Inside IP:

Core Router IP:

Server on the inside:

“Sysopt permit-ipsec” is enabled so that all VPN traffic bypass ACL on outside interface.

ASA 7.21 version

hostname ABC


interface Ethernet0/0

nameif outside

security-level 0

ip address


interface Ethernet0/1

nameif inside

security-level 100

ip address

#ACL 101 is used to bypass NAT

access-list 101 extended permit ip host

access-list 101 extended permit ip host

access-list 101 extended permit ip host

access-list aclout extended permit udp any interface outside eq 5008

#ACL 102 is for split-tunneling

access-list 102 extended permit ip

ip local pool testpool


global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1

static (inside,outside) udp interface 5008 5008 netmask

access-group aclout in interface outside

route outside 1

route inside 1

group-policy mypolicy internal

group-policy mypolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 102

crypto ipsec transform-set SprintVPN esp-3des esp-sha-hmac

crypto dynamic-map dyn1 1 set transform-set SprintVPN

crypto map Mymap 1 ipsec-isakmp dynamic dyn1

crypto map Mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

crypto isakmp ipsec-over-tcp port 10000

tunnel-group mytunnelgroup type ipsec-ra

tunnel-group mytunnelgroup general-attributes

address-pool testpool

default-group-policy mypolicy

tunnel-group mytunnelgroup ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none  This is used to disabled user authentication for VPN client.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 08/01/2008 - 07:25

Your split tunnel acl is backwards.

access-list 102 extended permit ip


This Discussion