Cisco ASA 5505 VPN problem

Unanswered Question
Sep 6th, 2008
User Badges:

I've got a new 5505, and I've run through two wizards: one to start up, one to add client VPN. As a result, I can now connect from a client, the client gets the right info (ip adress, dns, gateway), but it cannot connect to any of the servers on the 'inside' network. The config is here:

I've tried a lot of different things, but I cannot seem to get what's going wrong. Any clues would be very welcome!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Sat, 09/06/2008 - 07:16
User Badges:
  • Green, 3000 points or more


I strongly suggest to always use different ip-scheme for each of vpn RA tunnels and that they not be the same any of the asa inside interfaces.

interface Vlan1

ip address

ip local pool vpnhaarlem mask

for vpnhaarlem do the following.

use a unique private IP scheme for it as you have done with rotterdam , as an example lets use


no ip local pool vpnhaarlem mask


ip local pool vpnhaarlem mask

This first line acl is ok but persoannly I suggest to be more granular allowing specific RA tunnel group networks and not just permit ip any, again example for network .

stick with one no NAT acl for RA tunnels like inside_nat0_outbound remove the 1 and 2 otherwise you will have to create more

nat (inside) access-list statements for RA networks.


no access-list inside_nat0_outbound_1 extended permit ip any

no access-list inside_nat0_outbound extended permit ip


access-list inside_nat0_outbound extended permit ip

for the rotterdam tunnel group it is fine with unique IP scheme , I would apply my suggestion above

no access-list inside_nat0_outbound_2 extended permit ip

access-list inside_nat0_outbound extended permit ip

re-adjust the no-nat acl statement bellow

no nat (inside) 0 access-list inside_nat0_outbound_2

nat (inside) 0 access-list inside_nat0_outbound

Let us know how it works out



JohnSinteur Sat, 09/06/2008 - 07:22
User Badges:

I saw the same behaviour with the rotterdam scheme, but I'll go back and try your suggestions. I'll be back with results later..

JohnSinteur Sat, 09/06/2008 - 09:59
User Badges:

Here's what I did: I gave the outbound interface the ip address it is going to get when I move it to the datacenter, and gave a laptop an address in the same class C for testing. I removed one of the policies (rotterdam) and moved haarlem to I changed the acls you mentioned, and no change.

The VPN client gets a address, and a default gateway (which it cannot ping, by the way).

Still no luck accessing any of the 192.168.6.x servers.

New config is here:

did I overlook any of your suggestions?

JORGE RODRIGUEZ Sat, 09/06/2008 - 14:45
User Badges:
  • Green, 3000 points or more

Did you do this through asdm? beter do it through cli.

you are missing

nat (inside) 0 access-list inside_nat0_outbound

try again

also you have removed split tunnel acls, unless you will do full tunnel to allow RA internet acces through your asa you will have to add these two lines

same-security-traffic permit intra-interface

nat (outside) 1

JohnSinteur Sun, 09/07/2008 - 01:38
User Badges:

Just did all three things in the cli, as can be seen at

No change - the client gets, default gateway (which it cannot ping), and it fails to reach 192.168.6.x

(oh, and by the way: thank you for all the effort you're putting in this - it is much appreciated!)

JohnSinteur Sun, 09/07/2008 - 05:25
User Badges:

I did that through the cli, saw no difference in client behaviour.

The weird thing is that if I compare the running-config after that cli command with the asaconfig3.txt file linked earlier, there's no difference at all.

JORGE RODRIGUEZ Sun, 09/07/2008 - 05:45
User Badges:
  • Green, 3000 points or more

just to make sure, are your servers in off inside interface?

check servers hosts ensure they don't have windows firewall turned on, otherwise we'll have to debug

JohnSinteur Sun, 09/07/2008 - 05:50
User Badges:

Yes they are connected the network on the "inside" interface - and they can reach each other, so firewalls aren't an issue there. They can also reach the asa, and the asa can reach them.

JORGE RODRIGUEZ Sun, 09/07/2008 - 06:28
User Badges:
  • Green, 3000 points or more

are you able to see asdm realtime log when client is connected, it would help to see logs while they try pinging inside host

also while client is connected login to firewall and issue bellow : post outpot of this.

show crypto ipsec sa

JohnSinteur Sun, 09/07/2008 - 06:35
User Badges:

Before the client connects:

Result of the command: "show crypto ipsec sa"

There are no ipsec sas

After the client connects:

Result of the command: "show crypto ipsec sa"

The command has been sent to the device

(and no further output)

Contact me off the mailing list at [email protected], I may be able to give you access to the device after I've put it in a datacenter tomorrow morning (greenwich+1 time)


This Discussion