Unable to access hosts behind ASA

Unanswered Question
May 28th, 2010

Hi All,

I have a ASA 5505 configured as a VPN server, when connecting the connection is successful,
however the remote users are unable to access the hosts on the LAN behind the ASA.
Please find my config below and any help would be greatly appreciated.

ASA Version 7.2(4)
hostname *******
domain-name *******.local
enable password ************ encrypted
passwd ************* encrypted
interface Vlan1
nameif inside
security-level 100
ip address 196.0.*0.*
interface Vlan2
nameif outside
security-level 0
ip address 196.28.*.*
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name SSAHO.local
object-group network obj-196.0.*.*
access-list inside_nat0_outbound extended permit ip any
access-list outside_access_in extended permit tcp any interface outside eq 3389
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool SSA-VPN mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface 3389 196.0.*.* 3389 netmask
access-group outside_access_in in interface outside
route outside 196.28.*.* 1
route outside 196.28.*.* 1
route inside 192.168.*.* 196.0.*.* 1
route inside 10.129.*.* 196.0.*.* 1
route inside 10.140.*.* 196.0.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet inside
telnet timeout 5
ssh outside
ssh 41.208.*.* outside
ssh 41.208.*.* outside
ssh inside
ssh timeout 5
console timeout 0

username ******* password ********* encrypted
username ******* password ************ encrypted privilege 15
tunnel-group SSA-VPN type ipsec-ra
tunnel-group SSA-VPN general-attributes
address-pool SSA-VPN
tunnel-group SSA-VPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Fri, 05/28/2010 - 02:30

Which specific subnet and/or ip address do you try to access behind the ASA?

A few things to check:

1) Did you try to ping? If you do, please add the following:

policy-map global_policy
      class inspection_default

          inspect icmp

Also, from the config, it doesn't seem that the policy-map has been applied: service-policy global_policy global

2) Please add "management-access inside", and test if you can ping the inside interface ip address of the ASA when you are connected to the VPN?

3) Also add "crypto isakmp nat-traversal 25" so if the VPN client is behind a PAT device, ESP will be encapsulated to UDP/4500.

Please advise the result after adding and testing the above.

If it still doesn't work, please connect through VPN, and obtain the output of the following from the ASA:

- show crypto isa sa

- show crypto ipsec sa

audet Fri, 05/28/2010 - 10:33

Bring up the ASA GUI and go into Configuration and into sub-tab Device Setup

Go over to Routing and down to Static Routes.

Add a route to your inside interface

ip address:


Gateway IP: (the gateway address of your inside interface)

Under options select "Tunneled, default tunnel gateway for VPN traffic)

Click apply,  then save the config.

Disconnect and reconnect your vpn.

PS:  Also upgrade your ASA code.  Version 7.x is horrible. 

Don't even bother trying to work with the ASA until you move into version 8.x

m.kafka Sat, 05/29/2010 - 02:24

Some tips for trouble-shooting:

Let's assume you have IPsec SAs establishes cusessfully.

Most common reasons: NAT-T not enabled, ESP blocked, routing issues for the VPN packets

or acls somewhere on the end-to-end path blocking packets.

You have at least three networks on the "inside":

196.0.x0.0/24, and

There is also another Layer 3 device involved, which routes the 10.x.x.x networks.

Do you have a matching route for the vpn-clients on that device so that VPN return-traffic

arrives on the ASA?

verify routing on the client (secured routes should either be or the

internal network(s), depending on your split tunnel settings) and verify routing on the ASA side

(hosts on the asa side, the layer 3-device, hosts on the10.x.x.x networks):


verify packets encrypted/decrypted (in this example packets are sent to the tunnel but nothing returns):


compare these numbers with the ipsec sa on the ASA (Show crypto ipsec sa):

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

In this example the ASA decrypts packets but returns nothing.

The two examples combined could point to a routing issue or something NAT
resp acl related on the ASA side:
packets from the client are sent to the tunnel, will be encrypted,
recieved by the asa, decrytped and then we don't know for sure.

Here's where troubleshooting starts:
  • do you see an established connection on the ASA for the vpn?
  • do see a translation for that connection?
  • do see packets on the internal host?
  • do you see packets returned from the internal host?
  • do you see packets dropped by an acl?

Find trouble shooting strategies for other scenarios:

client packets encrypted 0, decrypted 0

asa packets encrypted 0, decrypted 0

personal firewall? client routing issue (dos command netstat -r)?

client packets encrypted x, decrypted 0

asa packets encrypted x, decrypted x

esp not arrriving on client? personal firewall?

hope thats a little bit of help

rgds, MiKa


This Discussion