Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Remote Access VPN NAT assignment

Unanswered Question
Nov 3rd, 2010
User Badges:

We have currently set up our remote access VPN clients to use the AnyConnect client (eventually we would rather use IPSec, but that's for another post, most likely).  Most documentation shows setting up the VPN NAT pool on a different subnet, so we currently have it set to the network.  We are able to access the network resources then only if we remote desktop in from there to an internal location.  How can we allow this subnet access to our internal resources without using this workaround?  I've tried assigning ACL's allowing that subnet in to the internal subnet, but it doesn't seem to make a difference.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 11/03/2010 - 09:20
User Badges:
  • Green, 3000 points or more


You're using the AnyConnect to connect to a router or ASA?

The VPN client will access the subnets that you permit/include in the split-tunneling ACL.

The range of addresses for the VPN client (either IPsec or AnyConnect) should be from a different subnet.

You can check on the client itself when it connects under secured routes, which subnets are accesible from the client.

Please provide more details to your problem.


heather.burke Wed, 11/03/2010 - 09:36
User Badges:

It connects to the ASA.

When you say it will access subnets that we provide in the split tunneling ACL, what do you mean?  I notice that split tunneling is an option under group policy, but right now all the boxes are checked for "inherit"

As I indicated before, the VPN is on a different subnet from the internal subnet.  It just cannot see internal resources without using remote desktop to access those resources.

(I did not do the initial setup for this VPN, I was just asked to help troubleshoot why network resources cannot be accessed.)

Federico Coto F... Wed, 11/03/2010 - 09:40
User Badges:
  • Green, 3000 points or more


You're saying that access to the internal resources work if using RD.

This means that you open a Remote Desktop connection from the VPN client and access the internal device?

If so... what type of access is not working that it should?


heather.burke Wed, 11/03/2010 - 09:43
User Badges:

Yes, apparently internal server access is one of the things

mentioned that is not working.  Along with that, certain client programs will not start.  Obviously the ideal that we are shooting for is for our users to be able to log in and have it be just like they are at their desks.  While the RD element is not the end of the world, we would like to see if we could achieve access without it.

Federico Coto F... Wed, 11/03/2010 - 10:03
User Badges:
  • Green, 3000 points or more


When you connect with the AnyConnect or IPsec client, the access the you have is full access.

It should be exactly as if the user is sitting locally to the internal resources.

It sounds like what you're describing that the VPN users are connecting using an SSL client-less connection.

This is a web portal that redirects TCP traffic (it is a limited access).

If the AnyConnect client is being downloaded in the client machine when connecting to the ASA, the client should have full access to the internal network.

Can you confirm that the client is indeed using the AnyConnect client and not a client-less SSL connection?


heather.burke Wed, 11/03/2010 - 10:12
User Badges:

Yes, let me confirm personally how this conenction is taking place and make sure that it is as it

is being described to me.  I'll get back to you after having done so.  Thanks!


This Discussion