Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 VPN can't access inside host

I have setup remote VPN access on a ASA 5505 but cannot access the host or ASA when I login using the VPN. I can connect with the Cisco VPN client and the VPN light is on on the ASA and it shows that I'm connected. I have the correct Ip address but I cannot ping or connect to any of the internal addresses. I cannot find what I'm missing. I have the VPN bypassing the interface ACLs. Since I can login but not go anywhere I feel certian I missed something.

part of config below

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

ip local pool xxxx 10.1.1.50-10.1.1.55 mask 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map inside_dyn_map 20 set pfs

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

service-policy global_policy global

group-policy xxxxxxx internal

group-policy xxxxxxx attributes

banner value xxxxx Disaster Recovery Site

wins-server none

dns-server value 24.xxx.xxx.xx

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

default-domain none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout none

ip-phone-bypass disable

leap-bypass disable

nem disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools value xxxxxx

smartcard-removal-disconnect enable

client-firewall none

webvpn

functions url-entry

vpn-nac-exempt none

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

tunnel-group xxxx type ipsec-ra

tunnel-group xxxx general-attributes

address-pool xxxx

default-group-policy xxxx

tunnel-group blountdr ipsec-attributes

pre-shared-key *

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: ASA 5505 VPN can't access inside host

You are missing nat exemption for the vpn clients. Add the following and you should be good to go.

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

6 REPLIES
Green

Re: ASA 5505 VPN can't access inside host

If you can post the config, that would be great.

New Member

Re: ASA 5505 VPN can't access inside host

I get the banner and IP adress info...

This is what the client log provides...

1 13:45:32.942 05/30/08 Sev=Warning/2 CVPND/0xE3400013

AddRoute failed to add a route: code 87

Destination 172.20.255.255

Netmask 255.255.255.255

Gateway 10.1.2.1

Interface 10.1.2.5

2 13:45:32.942 05/30/08 Sev=Warning/2 CM/0xA3100024

Unable to add route. Network: ac14ffff, Netmask: ffffffff, Interface: a010205, Gateway: a010201.

New Member

Re: ASA 5505 VPN can't access inside host

Here's the latest config... I can connect, get an IP but still cannot access the local host or the firewall. The firewall show that I have a tunnel but I still can't access anything.

Green

Re: ASA 5505 VPN can't access inside host

You are missing nat exemption for the vpn clients. Add the following and you should be good to go.

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

moo
New Member

Re: ASA 5505 VPN can't access inside host

I'm having exactly the same problem even though I have the nat exemption entries exactly as stated here.

I've redone the configuration several time with exactly the same result.

Re: ASA 5505 VPN can't access inside host

open a new topic, attach configs, give full description of the problem.

495
Views
0
Helpful
6
Replies
This widget could not be displayed.