Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cant access internal network resources through Remote Access VPN

Hi Folks,

I have a remote access VPN setup on an ASA5510. I am making a connection using Cisco VPN client (

I am able to make the connection and authenticate, but I am not able to access any of the local resources. I can't ping them or access in anyway. If I go into the statistics screen of the VPN client, it shows no LAN routes and and the only route I see is for

What's interesting is that one of the machines on the internal network can ping the machine that has initiated the VPN. In fact, I was able to Remote Desktop into it from the internal network. So I can access the VPN client from the internal network, but not the otherway around.

I initially configured the VPN using the ASDM wizard. (not sure that makes a difference)

Here is a partial config of the information that is relevant to the VPN. Please let me know if you need more.

The internal network is 192.168.0.X and the VPN network is 192.168.10.x.


access-list AINC_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any

ip local pool REMOTE_POOL mask

nat (inside) 0 access-list inside_nat0_outbound

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

group-policy AINC internal

group-policy AINC attributes

dns-server value

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value AINC_splitTunnelAcl

vpn-group-policy AINC

tunnel-group AINC type remote-access

tunnel-group AINC general-attributes

address-pool REMOTE_POOL

default-group-policy AINC

tunnel-group AINC ipsec-attributes

pre-shared-key *


Re: Cant access internal network resources through Remote Access

Please try two things:

1. Try entering the command: crypto isakmp nat-t

After that, see if you can ping anything.

2. Get rid of the permit any statement in the split tunnel ACL and enter the specific network:

access-list AINC_splitTunnelAcl standard permit

You should also modify the nat0 access-list with the same rule permitting to

Community Member

Re: Cant access internal network resources through Remote Access


The crypto command didn't fix it, but as soon as I modified the access-list, it worked.

One more question...What if I want my remote VPN clients to have the ability to administer machines in the DMS ( from the inside? What would I need to add to make that happen as well.

Re: Cant access internal network resources through Remote Access

You would need to add another line to your split tunnel access list permitting that network and also put that network in the NAT0 access list.

From there, make sure your ASA has a route to that network.

CreatePlease to create content