Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Problem with VPN in ASA5520 8.3

Unanswered Question
Nov 25th, 2010
User Badges:

I have lifted the VPN, but not going to remote networks.

I can ping the vlan inteface my remote router, but an IP from a PC can not reach. Some help

ASA Version 8.3(1)

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address


interface GigabitEthernet0/1

nameif inside

security-level 100

ip address


interface GigabitEthernet0/2


no nameif

no security-level

no ip address


interface GigabitEthernet0/3


no nameif

no security-level

no ip address


interface Management0/0


no nameif

no security-level

no ip address


ftp mode passive

object network NETWORK_OBJ_10.10.1.0_24


object network Aregua


description Aregua

object network NETWORK_OBJ_192.168.1.0_24


object network Piribebuy


description Piribebuy

access-list outside_cryptomap_1 extended permit ip object NETWORK_OBJ_10.10.1.0_24 object NETWORK_OBJ_192.168.1.0_24

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_10.10.1.0_24 NETWORK_OBJ_10.10.1.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

http inside

http inside

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address outside_cryptomap_1

crypto map outside_map0 1 set peer

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


username guillermo password gj/0bvDSV6huY49t encrypted privilege 15

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *****

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 11/25/2010 - 14:23
User Badges:
  • Cisco Employee,

The configuration on this ASA looks correct, and if you can ping the remote router vlan interface, that means that the VPN is up and running correctly.

If you can't ping the remote PC, you might want to check if the PC has any personal firewall enabled that often blocks inbound connections from different subnets. Please try to disable the personal firewall on the PC and try to ping again. Also try to ping other devices in the network, and see if that works.

Also check the remote router configuration to see if NAT exemption has been configured and if there is any firewall features on the router itself that might be blocking the ping.

Hope that helps.

Guillermo Pinanez Thu, 11/25/2010 - 16:21
User Badges:

Hi Jennifer

Thanks for answering my question, in principle I have no NAT configuration on the remote router, I have the firewall of the PC off.

Would not have a vpn configuration example l2l between 8.3 to handle router,
Also need to handle Internet access to local networks.
My problem lies in making non-nat

Jennifer Halim Thu, 11/25/2010 - 16:27
User Badges:
  • Cisco Employee,

For internet access from ASA, here is the NAT statement:

nat network obj-


     nat (inside,outside) dynamic interface

For VPN access between ASA LAN and router LAN, please share your router configuration.

Guillermo Pinanez Thu, 11/25/2010 - 16:50
User Badges:

Hi Jennifer

The configuration I have not now, but has set the wan interface vlan1
I have active the vpn I have only one access-list which belongs to the VPN.
Tomorrow I can pass the router configuration.

Very grateful for the help

Guillermo Pinanez Fri, 11/26/2010 - 06:59
User Badges:

Hi Jennifer

I found the the fix my problem, the router had set my default route pointing to the interface

ip route fa4

must be configured to point to the ip of the gateway

ip route x.x.x.x

Guillermo Pinanez Fri, 11/26/2010 - 08:16
User Badges:


What would be the procedure for transferring port with NAT (ASA 8.3)

For example:

inside inteface 10.10.1.xx in the ports 80,443 and 143  outside interface x.x.x.x

Jennifer Halim Fri, 11/26/2010 - 15:01
User Badges:
  • Cisco Employee,

object network server-10.10.1.xx

     host 10.10.1.xx

     nat (inside,outside) static interface service tcp 80 80


This Discussion