Remote access Vpn in cisco asa 5510

Unanswered Question
Jan 8th, 2009

We have established an MPLS connectivity towards the remote client end. All users in the LAN are able to access the remote end servers through PAT over the MPLS circuit

nat (inside) 10 access-list mpls_traffic

global (MPLS) 10 interface

The problem is the users when dialed in through internet cannot access the remote end servers through the MPLS interface PAT.

So the access is like this for C2S users

Dial in vpn-> ASA -> MPLS interface(PAT)-> remote end servers.



ASA Version 7.2(4)

hostname ciscoasa

enable password xxx

passwd xxx


interface Ethernet0/0

nameif outside

security-level 0

ip address 125.x.x.x.255.255.240

interface Ethernet0/1

nameif inside

security-level 100

ip address

interface Ethernet0/2

nameif dmz

security-level 50

ip address

interface Ethernet0/3


no nameif

no security-level

no ip address

interface Management0/0


no nameif

no security-level

no ip address

ftp mode passive

access-list 101 extended permit ip

access-list 101 extended permit ip

access-list allowlan extended permit ip

access-list allowlan extended permit ip

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool mypool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (dmz) 5 interface

nat (inside) 5 access-list 101

route outside 1

route dmz 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set test esp-3des esp-md5-hmac

crypto dynamic-map dyn1 20 set transform-set test

crypto map mymap 30 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

username xx password xxx encrypted

username xx password xxx encrypted privilege 15

tunnel-group mytunnel type ipsec-ra

tunnel-group mytunnel general-attributes

address-pool mypool

tunnel-group mytunnel ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context


: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Thu, 01/08/2009 - 05:49

hello girish

are they getting an ip address from ASA after dialing in ? I see an ip pool on the ASA.. are these for the remote access users ? This could be a problem with the routing somewhere.. especially with reverse routing... check on the mpls router if you have routed the ip pool..

uff. before that.. is the VPN terminating on the inside interface ? I see a PAT for 100.0 ip pool towards the outside interface ? but i thought u said, u are doing a remote dial in from internet ?? internet zone would be outside right ?



kirk.mihalkovit... Wed, 02/04/2009 - 12:20

You want to add an access-list for networks you do not want to have 'nat' applied to, such as VPN RA network like your config is setup for.

Try adding:

access-list NONAT_NETWORK extended permit ip

!The 0 in the next line exempts the access-list NONAT_NETWORK from being nat(ted)

nat (inside) 0 access-list NONAT_NETWORK

connectone Wed, 02/04/2009 - 13:18


From your config, did you try using the same-security-traffic permit intra-interface.


This Discussion