VPN Client Issue

Unanswered Question
Apr 28th, 2010


Can someone advise me on this;

We are having issue's with external suppliers accessing servers using the Cisco IPSec client (ver 5). The clients can vpn into the ASA and they receive an IP address from the address pool. When the supplier tries to RDP to the servers at the site they receive an error that they cannot connect.

The IP Address range on the inside network is and frequently the suppliers are using this for some part of their network as well. We suspect a routing issue but we have been unable to find a way to force the traffic (typically a server somewhere on the subnet) down the VPN tunnel

When they dial in from other network (ie home broadband) they can RDP into the servers without any issue.

So we are assuming that the clients office address range is what is causing the problem.

We have tried SSL and Anyconnect with more success but it is not reliable


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 04/28/2010 - 08:03


The internal network behind the ASA is

The VPN clients presenting problems are when they reside somewhere on a segment of the as well?

The VPN pool belongs to the

You say you have seen the problem only when clients attempt to connect from a segment belonging to the and accessing a particular server?

Sometimes you can NAT your VPN traffic to avoid overlapping issues.


networker101 Wed, 04/28/2010 - 08:39

Hi Fedrico,

I am not sure exactly what the clients address is, but the user did say they were on a Segment 10 address.

The VPN pool that has been allocated is 10.20.28.X

Only clients that are accessing from a Segment 10 address experience this problem, I have tried from an ADSL using the users credentials and i have no problem accessing the servers via RDP. The server is also behind a

Can you give me example of NATING VPN traffic for users who are coming from Segment 10 address?


Federico Coto F... Wed, 04/28/2010 - 08:49

Let's say that you have a problem accesing an internal server

You can create a NAT rule for that server:

static (in,out) x.x.x.x

The above rule will statically translate the internal server to x.x.x.x

To make this work, should be excluded from the NAT0 statement for the entire since NAT0 will ACL takes precedence over static NAT.



This Discussion