Cisco VPN client not working from behind ASA.

Unanswered Question
Dec 5th, 2008
User Badges:


We have two Sites R1 and R2 are connected to Internet.

Host from site R1 ( user 1) is connected to ASA2 outside interface via cisco VPN client .

User get connected to ASA 2 VPN but is not able to access the remote site network. It gets a ip form the pool defined in the ASA2. ( but is do not receive default gateway).

As Host user1 is getting connected to ASA2 by VPN connectivity , internal ip address of user1 undergoes NAT ( and global) in ASA1.

So now user machine has two IP address first is the normal LAN Ethernet IP address and second which it gets from ASA2 VPN pool.

Most likely it is due to NAT traversal that the user1 IP undergoes while connecting to ASA2. When it was connected by direct internet connectivity ( DSL Brodaband Cable) everything works well as user1 gets a real public address from ISP.

Any experience please share.

Thanks in advance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrew.prince@m... Fri, 12/05/2008 - 07:54
User Badges:
  • Green, 3000 points or more


1) Are you using the same IP subnet both sites?

2) Have you configured "sp0lit-tunneling" on the client VPN?

3) Do you have a VPN between ASA1 and ASA2 ?


bapatsubodh Fri, 12/05/2008 - 08:17
User Badges:


we are not using the same IP subnet on both sides?

we have configured Split-tunnel oon our ASA ( ASA1 do we need some ) do we need to add this remote networks in this?

Do we need to do some settings at remote ASA ( that is ASA2 ) also.

we dont have site-to-site ( lan-to-lan ) connectivity between ASA1 and ASA2.



andrew.prince@m... Fri, 12/05/2008 - 08:19
User Badges:
  • Green, 3000 points or more

Do the routing/switching devices on the ASA2 site know how to route to the VPN IP Pool address subnet?

bapatsubodh Fri, 12/05/2008 - 12:05
User Badges:


Yes, It does know as , when connected with DSLBroadband modem it gets the IP from the same pool and work fine.

I think it is some thing to do with IPSEC with NAT traversal enabled.

Please share ur experience.



mathias.mahnke Sat, 12/06/2008 - 12:19
User Badges:

Some time ago I had the same issue. Enable IPSEC NAT-T capability on the VPN server headend and everything was working fine for Cisco VPN clients behind a router / ASA.


This Discussion