ASA 5505 VPN Network access problem

Unanswered Question
Nov 24th, 2008
User Badges:

I have been working on this thing all night and I can't seem to get any where. I have a very straight forward set up, and so far the only issue I'm having is being able to access the network when connected through VPN, I have internet access, but nothing else and it's really strange.

Here is my config, I thought this would be a pretty straight forward set up, and I got everything else up and running with in a few minutes, but not being able to access the network via VPN is frustrating after I have tried all night to get it to work. I have read a lot of stuff online, and I keep on thinking im close but never get anywhere. Any help is appreciated.

Attached is the config.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

I have a few comments on your config:-

1) Do you only have the network on the inside?

2) Do you have a router on the inside?

3) I do not see any no-nat statements from the inside IP subnet to the RVPN subnet

4) I don't think The DNS will work over the RVPN, as you have not configured "Hairpining"

5) Do you really want to tunnel everything over the RVPN?

6) Why have you applied an allow ALL filter on the RVPN - by default nothing is blocked.

Some food for thought!


grant.maynard Thu, 12/04/2008 - 15:49
User Badges:
  • Silver, 250 points or more

Your NAT config confuses me. Are those "static (inside,inside)" lines for real?

try this:

no global (inside) 1 interface

no nat (T1) 1 access-list outside_nat dns

nat (inside) 0 access-list Local_LAN_Access

And remove those dodgy "static (inside,inside)" NATs!

I recommend staying with tunnelling everything.

You should tighten "access-list T1_access_in" because at the moment all IP is allowed from the internet to those "static (inside,T1)" NATs.

If you put "no sysopt connection permit-vpn" then all VPN traffic is forced through "access-list T1_access_in" - an easy way of filtering it.

I would tighten "access-list inside_access_in" but unapply and remove "access-list inside_access_out".


This Discussion