Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 - IPsec VPN, can't access to internal network

Hello everyone,

I've set up a IPsec VPN server from ASA 5505 and I succeeded to connect to it from a MAC laptop.

My problem is that I can't reach the internal network, and I would like to be able to reach an internal web service through the VPN connection.

Here is my network : ISP's router - ASA - internal network

Here is my ASA config :

ASA Version 8.2(5)


hostname Cisco-ASA-5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


ftp mode passive

clock timezone GMT 1

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list NONAT extended permit ip

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNpool

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN-MAP 10 set transform-set RA-TS

crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP

crypto map VPN-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 3600

crypto isakmp nat-traversal 3600

telnet timeout 5

ssh inside

ssh inside

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns interface inside

dhcpd update dns both override interface inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


group-policy company-vpn-policy internal

group-policy company-vpn-policy attributes

vpn-idle-timeout 30

username admin password 4RdDnLO1w29lihWc encrypted

username cld password zGOnThs6HPdAZhqs encrypted

tunnel-group synvpn type remote-access

tunnel-group synvpn general-attributes

address-pool VPNpool

tunnel-group synvpn ipsec-attributes

pre-shared-key *****



prompt hostname context

no call-home reporting anonymous


: end

When I ask for my routing table :

Routing tables


Destination        Gateway            Flags        Refs      Use   Netif Expire

default            utun0              UCS           142        0   utun0

default            my_home_gateway    UGScI          9         0     en1            UH              0       28   utun0

So I give to my VPN's users an IP address like 10.0.1.x (here it's and I use these commands to be able to reach the internal network :

access-list NONAT extended permit ip

nat (inside) 0 access-list NONAT

But it's obviously not working. Don't you think that I should have an other IP address than as gateway ? Is it the problem ?

Thank you for your help,


  • VPN
This widget could not be displayed.