Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4230
Views
0
Helpful
28
Replies

Cisco ASA Clients connects to VPN but no route inside, need some help?

zafnath
Level 1
Level 1

‎10-04-2010 06:30 AM - edited ‎03-11-2019 11:49 AM

Hello Everyone...!

I have a Cisco ASA running IOS Version 8.0(4) everyone in my company connects good throug the VPN Clients connect, but they don´t have routing.

I´m wondering why the connnect to the VPN and then don´t have any traffic inside.

Need some tips..

Labels:
0 Helpful
28 Replies 28

Shilpa Gupta
Cisco Employee
Cisco Employee

‎10-04-2010 06:34 AM

Hello,

As per the problem description, I understand that you can connect via VPN client , however you can not access anything on inside?

Please let me know if the problem description is correct.

Also for better understanding of the issue,please answer the following questions:-

[1]What is the VPN client that you are using?

[2]Are the nat translations in place on ASA?

[3]Have you configured split tunnel?Is the internal network included in it?

It would be great if you can attach the 'sh tech' output of ASA.

Thanks,

Shilpa

0 Helpful

zafnath
Level 1
Level 1
In response to Shilpa Gupta

‎10-04-2010 07:11 AM

Shilpa answering  your questions:

As per the problem description, I understand that you can connect via VPN client , however you can not access anything on inside? YES

[1]What is the VPN client that you are using?  Cisco System VPN Client Version 5.0.04.0300

[2]Are the nat translations in place on ASA?  yes I have a couple of NATs working in a several rules.

[3]Have you configured split tunnel?Is the internal network included in it? The Slipt Tunneling is checked on the Network List as INherit, that means the whole network

If there a specific part of show tech that you want to see?

Thanks for your help

0 Helpful

Namit Agarwal
Cisco Employee
Cisco Employee

‎10-04-2010 07:14 AM

Hi ,

Please paste the running config of the ASA here. You can remove the sensitive IP information.

Thanks,

Namit

0 Helpful

Shilpa Gupta
Cisco Employee
Cisco Employee
In response to Namit Agarwal

‎10-04-2010 07:23 AM

Hi,

I would like to check if you have nat exempt for the traffic on the inside network to the pool ip address of the client.If it is not configured then configure

the same and check if you are able to connect.

Also once you are connected, you should be able to see the route for reaching your client ip is via outside interface. This can be done by issuing"sh route".

Thanks,

Shilpa

0 Helpful

zafnath
Level 1
Level 1
In response to Namit Agarwal

‎10-04-2010 07:45 AM

Guys here is the running.. config

thanks for your help

0 Helpful

Shilpa Gupta
Cisco Employee
Cisco Employee

‎10-04-2010 08:00 AM

Hi,

Once connected via VPN, the host  which you are trying to access is connected directly to the ASA or is there any device present in between the inside host and the ASA.

If yes, make sure that you should have route on that device for the pool ip address pointing towards the ASA's inside ip.

Thanks,

Shilpa

0 Helpful

zafnath
Level 1
Level 1
In response to Shilpa Gupta

‎10-04-2010 08:13 AM

The Core Switch is attached directly to the ASA Inside Interface, but even the Core I can´t Access is like the whole trafffic is not routed.

0 Helpful

Shilpa Gupta
Cisco Employee
Cisco Employee
In response to zafnath

‎10-04-2010 08:28 AM

Hi,

After getting connected to the ASA via, try to ping the ASA's inside ip address and let me know if you are able to ping.

Add the following commands:-

[1]sysopt connection permit-vpn

[2]management access inside

Let me know if you able to ping

[1]the ASA's inside ip address

[2]Any host on the inside

When you say whole traffic is not routed, can please explain it briefly.

Thanks,

Shilpa

0 Helpful

zafnath
Level 1
Level 1
In response to Shilpa Gupta

‎10-04-2010 09:18 AM

I didi the above commands but nothing happen.

When you say whole traffic is not routed, can please explain it briefly.

Answer: My first hop after the inside asa´s  interface is the CORE Switch, I´m trying to ping it but it doesn´t work. If i can´t  get into the first hop how for sure I won´t be able to get into the rest of the network.

0 Helpful

Namit Agarwal
Cisco Employee
Cisco Employee

‎10-04-2010 08:44 AM

Hi,

Please provide the details of the tunnel you are trying to establish. Which tunnel-group ?

Regards,

Namit

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Namit Agarwal

‎10-04-2010 08:53 AM

once connected via vpn give the following command on asa and pkease pasete it

show crypto ipsec sa peer

show vpn-sessiondb remote

0 Helpful

zafnath
Level 1
Level 1
In response to Jitendriya Athavale

‎10-04-2010 09:13 AM

0 Helpful

zafnath
Level 1
Level 1
In response to Namit Agarwal

‎10-04-2010 09:06 AM

0 Helpful

Namit Agarwal
Cisco Employee
Cisco Employee

‎10-04-2010 09:15 AM

Hi ,

Please paste a screenshot of the route details on the VPN Client. The route details can be viewed at Status > Statistics > Route Details. I just want to confirm whether the VPN Client is getting the correct routes. Also I see that the tunnel-group in use is XXXX and the policy associated with it is clientes. Please provide me the details of this group-policy. An output of "show run all group-policy clientes" will be helpful.

Regards,

Namit

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card