asa vpn client unable to access internal network

Unanswered Question
May 12th, 2009


Please if someone could take a look at my config and see what the prob is that would be greatly appreciated. The client connects fine but I can't ping the inside interface now any networks.

thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Wed, 05/13/2009 - 12:35


I would begin with the most common issue..

Enable NAT-Traversal

asa(config)#crypto isakmp nat-traversal 20

Let me know if no joy after you enable NAT-T , we'll then look closely at your nat exempt rule but enable nat-t first and have RA clients connect.


rate any helpful posts

soujern69 Wed, 05/13/2009 - 12:57

Thanks Jorge,

I tried that with no luck. Once connected I can't access anything or ping the inside interface.

So must be natting or my inside routes?

Thank you!

JORGE RODRIGUEZ Wed, 05/13/2009 - 13:50

ok we have to understand your topology,I looked at your config carefully and Im puzzle on some of the route stetements,before looking at nonat acl for RA network and your inside networks, could you clarify bellow.

Why do you have these routes in there? the is your RA VPN POOL comming through outside interface RA.

you are telling the ASA to route network through three different gateways etc..

route inside 1

route inside 1

route inside 1 is your RA VPN POOL

also you have different networks being routed through various gateways connected to inside interface?

are these actual routers ? and do these gateways have any of their interfaces connected to the network.


What networks do you realy have on the inside , is it via Inside interface Ethernet0/1?

Your RA Pool and nonat acl would be something as:

no access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip

Could you clarify your networks being routed through the inside interface if any?


soujern69 Wed, 05/13/2009 - 14:13


My scenario is as follows.

We have 3 campuses and need the asa for vpn only;

Campus 1

Core switch

Campus 2

Core switch

Campus 3 (asa location)

Core switch

On campus 1 I need to access 134.*.**6.0

On campus 2 I need to access 134.*.**0.0

On campus 3 I need to access 204.*.*.0

The config is a mess cause I've tried a few different things and am not very familiar with the asa.

If you need any other info let me know and I'll be happy to provide it. I did have this working at one time, but messed something up so cleared the config and started from scratch.

Thanks you!

JORGE RODRIGUEZ Wed, 05/13/2009 - 14:56


Thanks for providing additional information.. indeed does help.. a simple diagram would also help if you can.

I believe your problem can be easily fixed, I would suggest to start simple, the key is to first work with the actual asa interfaces, specially your inside interface which I would assume it has a connection to Campus 3 Core_switch_172.16.250.50 with a interface SVI under 10.1.3.x/24 ..

the rest of your networks from campus 1 and 2 do connect to

Core_switch_172.16.250.50? if so you can then instruct the ASA to route those networks via inside interface Campus 3 Core_switch.. again , a diagram would help a bit to see.

Suggestion :

1- Remove all these routes that pertains to RA VPN pool network (

no route inside 1

no route inside no 1

no route inside 1

no route inside 1

no route inside 1

no route inside 204.*.*.240 1

then correct this acl.. we could taylor the nona acl later with a better acl summarizing all your inside networks for RA Network to access them.

no access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip

Get at least RA VPN to talk to hosts in the network.



I will check the post a bit later to fruther assist you.

soujern69 Thu, 05/14/2009 - 05:27

Good morning Jorge,

I've attached the latest config and have tried to make the changes you suggested. Currently from the client I'm still unable to access any networks, but I can telnet into the inside interface and have access to everything. I'm still not sure on how to add an accurate inside route so i removed these for now until I hear back from you. So my guess it's either my natting or inside routes that I have incorrect. Yes the other networks do connect to the core at my location/asa site.

I very much appreciate your help and taking the time to look at this.

Thank you,


JORGE RODRIGUEZ Thu, 05/14/2009 - 09:48

Hi Steven, thanks for the update..

Ok if I understand correctly your VPN RA Pool network can now access your inside interface and any hosts withing the network..pls confirm.

For the other networks we need to know the following .

Does your ASA inside interface localted in (Campus 3 location) has a connection to the core switch_172.16.250.50 under that same ASA inside subnet .. if so what is its IP address, there is where you will route the rest of your campus networks provided Campus 3 core switch/router knows of all other inside networks.

For example.

Your ASA inside interface connecting to Campus 3 core switch must have an interface under same vlan as your inside interface of ASA.. say for sake of example that Core_switch in pampus 3 has interface ip of 10.1.3.XX

Are these networks behind your ASA ?

if so these have to be routed through Campus 3 core switch/router behind your inside asa interface.

routes in asa would be:

route inside 10.1.3.XX 1

route inside 10.1.3.XX 1

route inside 10.1.3.XX 1

I still have a feeling we're not geting complete picture fo your inside - Your point of entry for RA VPN is in CAMPUS 3 core switch, how are other campuses connected to campus 3? can you provide a diagram.


soujern69 Thu, 05/28/2009 - 07:40

Hello Jorge/all,

I've still been working on this and am at this point. I can connect to the vpn fine and ping everything at site 1 where the asa is located. Although I can ping a public server at 204 at site 1 I can't rdp into it which I need to do.

On sites 2 & 3 I'm unable to ping or access anything. What I need from these 2 sites are rdp access to the public 134 address's and nothing else.

I've tried to created a rough diagram to see if that will help you see our layout a little better.

The state controls the 3 routers connecting the campus's and has opened up the appropriate ports on site 1 so I know that is good.

On my workstation right now i have a 10.1.3 private address and am able to access everything at all locations when not going through the vpn. So I'm thinking I must be missing something quite simple.

I'll also attach the latest config.

Thank you!!



This Discussion