Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 - remote vpn client can login but only first client can ping and the rest cannot

All Experts,

I have configured remote vpn server on ASA 5510.

All the remote vpn clients are able to login to remote vpn server.

The issue is that only first vpn client can ping to the internal network and the rest of the clients cannot ping even though they are able to login.

Could you please help to find out what's wrong with my configuration?

Please refer to the below configuration.


ciscoasa#sh run

ASA Version 8.0(2)


hostname ciscoasa


enable password S3tnQLXTAbsdcawi encrypted



interface Ethernet0/0

description *** INTERNAL CONNECTION ***

nameif inside

security-level 100

ip address


interface Ethernet0/1

description *** WAN CONNECTION ***

nameif outside

security-level 0

ip address 210.x.x.x


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST 10

dns server-group DefaultDNS


access-list outside_access_in extended permit icmp any any

access-list inside_access_in extended permit icmp any any

access-list NONAT extended permit ip

pager lines 24

logging enable

logging monitor debugging

logging buffered debugging

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

ip local pool VPNPOOL mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 210.x.x.x 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http inside

http management

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

no crypto isakmp nat-traversal

ssh inside

ssh timeout 10

console timeout 0

dhcpd address management

dhcpd enable management


threat-detection basic-threat

threat-detection statistics access-list


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp


service-policy global_policy global

group-policy it-policy internal

group-policy it-policy attributes

wins-server value

dns-server value

vpn-idle-timeout 30

username testuser password k83iXWPan0Gg1s04 encrypted

username admin password TOyVyM6G6TXcuQ5w encrypted privilege 15

username user password enq05bKrudsJMMBu encrypted

tunnel-group itvpnclient type remote-access

tunnel-group itvpnclient general-attributes

address-pool VPNPOOL

default-group-policy it-policy

tunnel-group itvpnclient ipsec-attributes

pre-shared-key *

prompt hostname context


: end


ASA 5510 - remote vpn client can login but only first client can

Hi Craig,

Try enabling NAT-T ,  you have it disabled,  try that and let us know  e.g  crypto isakmp nat-traversal 20

troublesghooting reference


New Member

ASA 5510 - remote vpn client can login but only first client can

Hi Gorge,

Thanks for your advice.

I will try that and let you know the update.



New Member

ASA 5510 - remote vpn client can login but only first client can

Hi Gorge,

I am able to ping from any remote client after enabling crypto isakmp nat-traversal 20.

Thank you so much for your advice.

Hi William,

Thanks for your advice too even though I did not need to add "inspect icmp" under class inspection_default.

Appreciate for your help.



New Member

ASA 5510 - remote vpn client can login but only first client can

You might also try adding inspect icmp under your class inspection_default policy map.

CreatePlease login to create content