Remote user in vpn pool subnet fails to reach inside network subnet

Unanswered Question
Mar 19th, 2010

I have an ASA 5505 configured for AnyConnect Remote Vpn access. Vpn users get ip addresses in the network and the inside network is I have followed the instructions from pretty much by the letter but it does not work. It feels as a rather common thing to do so I'm a little surprised that the example fails for me. I am a newbie when it comes to configuring Cisco routers though so I may have missed something that would be obvious to any one else.

My configuration:

ASA Version 8.2(1)

interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

access-list split-tunnel standard permit

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool mask

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

route outside x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside


dhcpd address inside

dhcpd dns x.x.x.x x.x.x.x interface inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy vpngroup internal

group-policy vpngroup attributes

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel


  svc keep-installer installed

  svc rekey time none

  svc rekey method ssl

  svc ask none default svc

tunnel-group RemoteVpnTunnelGroup type remote-access

tunnel-group RemoteVpnTunnelGroup general-attributes

address-pool vpnpool

default-group-policy vpngroup

tunnel-group RemoteVpnTunnelGroup webvpn-attributes

group-alias anyvpn enable


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp


service-policy global_policy global

prompt hostname context


: end

no asdm history enable

What the log says when I try to ping from to

No translation group found for icmp src outside: dst inside: (type 8, code 0)

What the log says when I try to access files on from

No translation group found for tcp src outside: dst inside:

No translation group found for tcp src outside: dst inside:

/Måns Tånneryd

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jennifer Halim Fri, 03/19/2010 - 02:35

You are missing the following:

access-list nonat permit ip

nat (inside) 0 access-list nonat

mtanneryd Fri, 03/19/2010 - 02:40

Thanks! I'll try that as soon as I'm back at the office.


mtanneryd Fri, 03/19/2010 - 06:07

Well, I got rid of the "no translation group" messages but I'm still not getting thru. Trying to access files on 192.168.1 from 192.168.10 results in lots of log messages like:

Built inbound UDP connection 273 for outside: ( to inside: ( (mtanneryd)

Teardown TCP connection 286 for outside: to inside: duration 0:00:00 bytes 148 TCP FINs (mtanneryd)

Running a packet tracer shows me that the firewall is dropping the packets because the first implict rule (permit any - any less secure) appears not to match the traffic and the second is the default any-any deny rule.


Jennifer Halim Fri, 03/19/2010 - 15:19

Can you add the following and see if you can ping to your internal network:

policy-map global_policy

   class inspection_default

        inspect icmp

From the logs, it seems to have built the connection (as you can see the FIN packet).

Can you try to telnet on port 80 to see if you have connectivity (telnet 80)

patrik.spiess Fri, 03/19/2010 - 02:43

by default every connection needs to pass a NAT command. If you do not use nat use the following command in global configuration mode:

no nat-control

In this case you don't need to configure an nat-excemption


Jennifer Halim Fri, 03/19/2010 - 02:45

well, there is already a nat statement configured, so I assume that nat is required, hence the need to configure nat exemption.

patrik.spiess Fri, 03/19/2010 - 02:50

Ok, my suggestion was not precise enough.

nat-control just enforces that every connection goes through an nat rule. This may lead to use nat-excemption rules.

If you disable nat-control then nat is optional. So with nat-control disabled you're still able to configure nat rules. But for those connections not needed to be natted you don't have to use nat-excemption rules.


Jennifer Halim Fri, 03/19/2010 - 02:54

Unfortunately after you disable "nat-control" and you have a nat configuration, that turns on "nat-control" automatically, therefore you still need to configure nat exemption.

For example:

no nat-control

nat (inside) 1 0 0    <--- this statement turns the nat-control back on.

Therefore, you need to configure nat exemption:

nat (inside) 0 access-list nonat


This Discussion

Related Content