Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA 5505 SSL Vpn Issue

Here is the problem I have. I can connect to the ssl vpn with Any Connect just fine. Split tunnel also seems to be working. I can ping the inside interface of the ASA unit. I however can not ping or access any other way hosts on the inside network only the asa's inside interface. I included a copy of my config. If someone could help me figure out what i'm missing it would be greatly appreciated.

ASA Version 8.2(3)
hostname asa5505
domain-name "inside domain"
enable password "password" encrypted
passwd "password" encrypted
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1a
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
boot system disk0:/asa823-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
domain-name "inside domain"
access-list inside_nat0_outbound extended permit ip any
access-list split-tunnel standard permit
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnaccess mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
enable outside
svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
dns-server value
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
split-dns value "inside domain"
address-pools value vpnaccess
username admin password "password" encrypted privilege 15
username admin attributes
vpn-group-policy DfltGrpPolicy
username Interact password "password" encrypted privilege 0
username Interact attributes
vpn-group-policy DfltGrpPolicy
username wyoming password "password" encrypted privilege 0
username wyoming attributes
vpn-group-policy DfltGrpPolicy
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpnaccess
prompt hostname context
profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination address http
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

Cisco Employee

Re: ASA 5505 SSL Vpn Issue

Sure, your NAT exemption access-list is incorrect.

Instead of:

access-list inside_nat0_outbound extended permit ip any

It should be:

access-list inside_nat0_outbound extended permit ip

Then pls remember to "clear xlate" after the above changes.

Hope that resolves the issue.

Community Member

Re: ASA 5505 SSL Vpn Issue

Mad the changes put i still can only ping the inside interface

of the ASA. Any other ideas?

Cisco Employee

Re: ASA 5505 SSL Vpn Issue

What are you trying to ping? Pls make sure that the host doesn't have any windows personal firewall enabled as that normally blocks incoming connection from a different subnet.

CreatePlease to create content