Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN: one is working, the other is not...

I have several interfaces:

  • outside
  • inside(
  • wifi(
  • haklab(

Currently I have remote access anyconnect users who are able to VPN in and get access to the outside internet and inside devices.

I am trying to add another VPN config to allow users to connect to the haklab resources from the outside. 

Currently they are able to connect to the VPN and access outside resources, but they are unable to see any of the devices on the inside.    

I have created a user, pronto which should be forced in recieving the mdc3 connection profile which assigns them an IP address from my DHCP server which is also on that lan segment.  The VPN users are currently reciving an address from DHCP. In my case was assigned to pronto when he VPN'd in.

My goal is to determine why pronto can't access any of the devices on the haklab interface

Here is the full config:

ASDM VIEW ACCESS: just PM me and Ill create an account.

relevant snippets:

object network MDC3_VPN


access-list haklab_access_in extended permit ip object MDC3_VPN interface HAKlab

ip local pool mdc3_VPN mask

nat (inside,outside) source static HAK_LAB HAK_LAB destination static MDC3_VPN MDC3_VPN

nat (outside,outside) after-auto source dynamic MDC3_VPN interface

username pronto password xxxxxxxx encrypted

username pronto attributes

vpn-group-policy mdc3_policy

group-lock value mdc3

service-type remote-access


  anyconnect profiles value MDC3 type user

anyconnect profiles MDC3 disk0:/mdc3.xml

tunnel-group mdc3 type remote-access

tunnel-group mdc3 general-attributes

address-pool mdc3_VPN

default-group-policy mdc3_policy

dhcp-server subnet-selection

tunnel-group mdc3 webvpn-attributes

group-alias mdc3 enable

group-policy mdc3_policy internal

group-policy mdc3_policy attributes

wins-server none

dns-server value

vpn-tunnel-protocol ikev2 ssl-client

default-domain value


  anyconnect profiles value MDC3 type user

Cisco Employee

VPN: one is working, the other is not...

Hi Daniel.

I am trying to figure out what are you trying to achive by this ACL?

"access-list haklab_access_in extended permit ip object MDC3_VPN interface HAKlab"

Why not use the below since you want to access all resources behind HAKlab.

access-list haklab_access_in extended permitip object MDC3_VPN any