VPN Establishes Correctly Unable to access Internal Networks

Unanswered Question

I have a new 5505 with a fairly base config. Please provide guidance on the following. I can connect to the ASA(it is at a remote location) with no issue over VPN. From the asa I can ping a switch that hangs off of a directly connected interface. I can not ping or ssh/telnet to the switch from my desktop. My question is what things are need to make this happen? I guess I'm generally a bit fuzzy on the logic the fw uses when dealing with vpn clients. Also, I am NOT using split tunneling...everything goes through the IPSEC tunnel. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sziaulla Thu, 08/06/2009 - 14:17
User Badges:
  • Cisco Employee,

can you pls check if your switch knows how to get back to the pool address?

Do you have NAT configured on ASA? can you pls send me the output of "show run nat" and "sh run global" from the ASA?



dc-dfw01# sho run | grep pool

ip local pool dimension mask

address-pools none

address-pool dimension

dc-dfw01# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is to network

C is directly connected, inside

C is directly connected, outside

S [1/0] via, outside

C is directly connected, _internal_loopback

S* [1/0] via, outside

dc-dfw01# sho run nat

nat (outside) 1

nat (outside) 1

nat (inside) 0 access-list inside_nat0_outbound_1

dc-dfw01# sho run global

global (outside) 1 interface


Please let me know if you need any additional info.


sziaulla Fri, 08/07/2009 - 07:16
User Badges:
  • Cisco Employee,

why do you have this statement

nat (outside) 1

is it because you want these clients to go to internet via this vpn connection?

I think the show route statement you sent is from the firewall? can you pls send me the show route from the switch?

also can you pls send me the contents of the ACL "inside_nat0_outbound_1"?



acomiskey Fri, 08/07/2009 - 07:25
User Badges:
  • Green, 3000 points or more

Sounds like this is just a nat-t issue. Do you have this?

crypto isakmp nat-traversal


isakmp nat-traversal


This Discussion