ASA 5505 with Cisco VPN Client

Unanswered Question
Nov 17th, 2009


I have just set up my 1st ASA firewall. I have an L2L between my 2 sites setup without a problem. However when I try to use the vpn client, it connects fine but I cannot get access to the remote LAN

I have attached my config, can anyone tell me where i'm going wrong?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
branfarm1 Tue, 11/17/2009 - 08:13

Are the RemoteLAN addresses the networks listed in Access-list 101?

It looks like you have access-list 101 defined as a split-tunnel ACL for the VPNClt tunnel-group. With split tunneling you are telling the VPN client which networks to protect, or in other words, which networks to send down the tunnel. If you are trying to reach the remote LAN through the VPN client tunnel, you don't want to have split tunneling enabled.

You need access-list 101 as part of your L2L tunnel, so don't remove it.

milfrankrodriguez Tue, 11/17/2009 - 08:24

Thanks for your quick reply

Yes the RemoteLAN addresses are in 101

I have disabled split tunneling now but still can't seem to access remote lan

branfarm1 Tue, 11/17/2009 - 08:30

Since both VPN's are off of the outside interface, your traffic is entering the ASA on the outside then attempting to leave via the outside as well. Try using the "same-security-traffic permit intra-interface" CLI command, or check the "Enable traffic between two or more hosts connected to the same interface" box on the Interfaces page in ASDM.

branfarm1 Tue, 11/17/2009 - 08:35

Also, you will need to add to your NAT exemption list. Otherwise, as the traffic tries to leave via the outside interface it will be PAT'd to your outside address.

Once you change the NAT exemption, you'll need to update your ACL 101 to make traffic sourced from, bound for the Remote LAN, use the VPN.

milfrankrodriguez Tue, 11/17/2009 - 08:46

I have updated my nat exempt list

I'm not sure what you mean by this :"you'll need to update your ACL 101 to make traffic sourced from, bound for the Remote LAN, use the VPN"

How do I do that?

branfarm1 Tue, 11/17/2009 - 08:57

If you look at your L2L vpn config, you're using ACL 101 to specify what is called "interesting traffic." This means that traffic that matches the ACL will either trigger the VPN to build (initially) or be sent to the VPN, instead of routing outside normally.

What you are attempting to do is have traffic coming from your VPNclt machines be able to reach the remote LAN via your L2L VPN. So you need to be able to have the PIX recognize that traffic from your VPNClt's destined for the RemoteLAN need to also be sent to the VPN.

Your ACL 101 should be something like this:

access-list 101 extended permit ip

So if your local address range is and you are trying to reach and on the remote side, ACL 101 should be:

access-list 101 extended permit ip

access-list 101 extended permit ip

access-list 101 extended permit ip

access-list 101 extended permit ip

The other side of the L2L vpn will need a mirror of your ACL.

milfrankrodriguez Tue, 11/17/2009 - 09:03

Oh I see, that is not what I am trying to do. The VPN client users will not be using the L2L vpn. They will be accessing probably from home

branfarm1 Thu, 11/19/2009 - 19:58

Hi there -- just wanted to follow up and see if you were able to resolve your issue.  Did you figure out the setup you wanted?

milfrankrodriguez Fri, 11/20/2009 - 01:14


No I haven't had a chance to look at it in the last couple of days. What I want is for staff to be able to access the main site ( from home or when on vacation. I can get the VPN client to connect fine but for some reason when I try to access any resources on the remote LAN it doesn't work, no ping response from anything on the network

kicharle Fri, 11/20/2009 - 01:35


I see acl 101 used for both split tunnel as well as vpn-filter.

Please remove the vpn-filter and see, if you are able to connect to the remote LAN. I think that might be causing the issue.

With regards


milfrankrodriguez Fri, 11/20/2009 - 03:01

I have tried this but still no luck.

When the client connects I can ping the remote clients from the ASA but not from the internal network at the main site. So it seems as if the traffic is getting to the ASA but is not making it back out again. Does that sound right to you?

kicharle Fri, 11/20/2009 - 04:00

To which interfaces have you mapped vlan 1 and 2. If you have connected the client in "cleint mode" you can't ping them from the main internal network to the remote clients. You can only ping from remote client to internal network behind the ASA.

With regards


jesslpete Fri, 11/20/2009 - 07:02

Thank you all, particularly branfarm1, for making this clear.  I had the same question.  I left split-tunnel enabled and otherwise followed your outline and a vpn client can now access networks at the other end of an l2l tunnel.

> same-security-traffic permit intra-interface

! Add the client pool (client_net)  to the split tunnel access list (from inside to remote_net) and the nat0 list.

> access-list split_acl extended permit client_net remote_net

> access-list inside_nat0 extended permit client_net remote_net

Do the mirror at the other end of the tunnel.

The client can still access its local lan and Internet which may or may not be desirable.


This Discussion