Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco IPSec VPN Client to LAN Connectivity

I've looked through other discussions and haven't been able to find a clear answer on this so I apologize if it is a duplicate question.

I have setup the Cisco VPN client on an ASA 5505 with split-tunneling. I can connect to the VPN just fine. I can get to the internet just fine. I can NOT get to the LAN, however. I try to ping, rdp, telnet, etc. devices on the LAN side of the firewall without any luck. I have torn down and setup the VPN multiple times via the CLI and I even used various configurations using the wizard, all without any luck. Any help would be appreciated.

ASA Version 8.2(2)


hostname spp-provo-001-fwl-001

domain-name servpro.local

enable password F7n9M1BQr1HPy/zu encrypted

passwd F7n9M1BQr1HPy/zu encrypted

no names

name Exch-Srv

name DRAC

name DVR


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group ServPro

ip address pppoe setroute


interface Vlan12

nameif Guest_Wireless

security-level 90

ip address


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7

switchport access vlan 12


banner exec *Authorized access only*

banner exec *This system is the property of ServPro. Disconnect IMMEDIATELY as you are not an authorized user!*

banner login *Authorized access only*

banner login *This system is the property of ServPro. Disconnect IMMEDIATELY as you are not an authorized user!*

banner asdm *Authorized access only*

banner asdm *This system is the property of ServPro. Disconnect IMMEDIATELY as you are not an authorized user!*

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns domain-lookup inside

dns server-group DefaultDNS



domain-name servpro.local

object-group service DRACServices tcp

port-object eq 5900

port-object eq https

port-object eq 5901

object-group service Exch-SrvServices tcp

port-object eq 587

port-object eq 993

port-object eq www

port-object eq https

port-object eq imap4

port-object eq pop3

port-object eq smtp

object-group service SBS1Services tcp

port-object eq 3389

port-object eq www

port-object eq https

port-object eq smtp

access-list outside_access_in extended permit tcp any host *.*.*.* object-group Exch-SrvServices

access-list outside_access_in extended permit icmp any *.*.*.*

access-list capture extended permit icmp any any

access-list Servpro_splitTunnelAcl standard permit

access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip any

access-list guest_wireless_in extended permit tcp any any

access-list guest_wireless_in extended permit ip any any

access-list NO_NAT extended permit ip

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu Guest_Wireless 1500

ip local pool ServProDHCPVPN mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625.bin

no asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

nat (Guest_Wireless) 1

static (inside,outside) *.*.*.* netmask

access-group outside_access_in in interface outside

access-group guest_wireless_in in interface Guest_Wireless

route outside *.*.*.* 2 track 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Exch-Srv protocol nt

aaa-server Exch-Srv (inside) host

timeout 5

nt-auth-domain-controller EXCH-SRV

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

http server enable

http server idle-timeout 10

http inside

http outside

http redirect outside 80

http redirect inside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 124

type echo protocol ipIcmpEcho interface outside

num-packets 3

frequency 10

sla monitor schedule 124 life forever start-time now

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self


keypair ServPro

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate f642be4b

    308202fc 308201e4 a0030201 020204f6 42be4b30 0d06092a 864886f7 0d010105

    05003040 311a3018 06035504 03131163 6973636f 2e737070 726f766f 2e636f6d

    31223020 06092a86 4886f70d 01090216 13636973 636f2e73 65727670 726f2e6c

    6f63616c 301e170d 31303034 30383230 35363232 5a170d32 30303430 35323035

    3632325a 3040311a 30180603 55040313 11636973 636f2e73 7070726f 766f2e63

    6f6d3122 30200609 2a864886 f70d0109 02161363 6973636f 2e736572 7670726f

    2e6c6f63 616c3082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082

    010a0282 010100a5 b4646cde f981f048 efa54c8a 4ba4f51c 25471e01 459ea905

    313ef490 72b4d853 4e95ab7d a8c1350e 5728dca6 a98c439e 2c12d219 06ee7209

    9f2584d1 b2abf71c 31c0890f 3098533b 6bc3ad4b 3bcd8986 e70ca78e 07a749d6

    ee4e0892 4fcb79b6 724f7012 9f42fc2f b80c17ed adb5d36b 67590061 453d9ae6

    16583d36 5a22b7c2 737fd705 94656f3f 578fb67f 79bd2a59 17522be3 d2386e22

    2c62352f cda317b0 be805a04 76f19989 34031cbd a5fc62a7 1d9f52f3 00cf60b6

    bbbdc4f0 fb651b82 b3e22a0a 718ff0b4 e213f4ac cdeb413b 9c4a47c3 9134d7a9

    e8dcf2c5 c1cd4075 61d75e3a 475a17f1 2f955741 9ed2a8d6 c381eba3 247134e1

    b5c33fac 7ae03d02 03010001 300d0609 2a864886 f70d0101 05050003 82010100

    70595db9 3fac914d 9790c156 5fde62c5 b4cbb0f4 0c61fab7 fae04399 27457ab7

    e69d3f19 3476dc51 32c885de b5904030 05624fe0 e8983e0a ab5527f3 8c5dd64a

    1e1a6082 b6091657 8704c539 a3c6be47 da2a871f 4fafe668 70db2c2b 573d47b2

    7f3df02f c9d53a92 bcf5f518 9953e14c f957a6ca 279f9e9f ddbd2561 6e0503c2

    ba59a165 055d697f dd028d00 5cc288c4 83ced827 9c82ef3e 7e67f2d2 6de573e3

    42a0b6bf ef8d06ed cb9805f2 c38011d3 5263bc3f 5b68df7a bef36c40 8c5e33f3

    26b02c27 63a9848c 8461738f cd19ae95 f059ee34 afe4bdbc 8d8d2335 751b0621

    65464b2c 4649779d 3ba01b69 8977a790 73815f8b 3c483f93 a5ca9685 04b6e18a


crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal


track 2 rtr 124 reachability

telnet inside

telnet timeout 10

ssh inside

ssh outside

ssh timeout 10

ssh version 2

console timeout 10

vpdn group ServPro request dialout pppoe

vpdn group ServPro localname ********

vpdn group ServPro ppp authentication pap

vpdn username ******* password ***** store-local

dhcpd auto_config outside


dhcpd address Guest_Wireless

dhcpd dns interface Guest_Wireless

dhcpd enable Guest_Wireless


threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server source outside

ntp server source outside prefer

ssl trust-point ASDM_TrustPoint0 outside


enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy Servpro internal

group-policy Servpro attributes

dns-server value

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Servpro_splitTunnelAcl

default-domain value servpro.local

username servpro password NtdaWcySmet6H6T0 encrypted privilege 15

username servpro attributes

service-type admin

username Integratechs password bHGJDrPmHaAZY/78 encrypted

tunnel-group Servpro type remote-access

tunnel-group Servpro general-attributes

address-pool ServProDHCPVPN

authentication-server-group Exch-Srv LOCAL

default-group-policy Servpro

tunnel-group Servpro webvpn-attributes

group-alias ServPro enable

tunnel-group Servpro ipsec-attributes

pre-shared-key *****


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp


service-policy global_policy global

prompt hostname context


profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily


: end


Accepted Solutions
Cisco Employee

Cisco IPSec VPN Client to LAN Connectivity

Most probably you are behind a PAT router when you are connected to VPN, so please enable the following:

crypto isakmp nat-traversal 30

Cisco Employee

Cisco IPSec VPN Client to LAN Connectivity

Most probably you are behind a PAT router when you are connected to VPN, so please enable the following:

crypto isakmp nat-traversal 30

Community Member

Cisco IPSec VPN Client to LAN Connectivity

Could you see if you have decrypted packages in the VPN tunnel?

Since you only have one VPN you can issue this command on the ASA 5505 and verify if you have encrypts and decrypts packages in the VPN.

Try to do a ping from de VPN client to the LAN segment and then type this command:

sh crypto ipsec sa | in encrypt|decrypt

Please check the Client PC routing table (route print if it is Windows) and see if you have the route added from the VPN client. You also can check directly on the VPN client  : Status > Statistics > Route Details.

After that post the results again!

Community Member

Re: Cisco IPSec VPN Client to LAN Connectivity

The VPN client shows no Local LAN Routes but has under Secured Routes

There are no encrypts or decrypts.

spp-provo-001-fwl-001(config)# sh crypto ipsec sa | in encrypt|decrypt

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Community Member

Re: Cisco IPSec VPN Client to LAN Connectivity

I added the command crypto isakmp nat-traversal 30 but I am still unable to get access to the LAN

spp-provo-001-fwl-001(config)# show run | i nat-trav

crypto isakmp nat-traversal 30

Edit: I didn't restart the client connection after I made the edit. After restarting the VPN client that seems to have done the trick! Can you explain what that command does exactly? Thanks!

Message was edited by: David Engel

Community Member

Re: Cisco IPSec VPN Client to LAN Connectivity

no access-list inside_nat0_outbound extended permit ip any

access-list inside_nat0_outbound extended permit ip

Sent from Cisco Technical Support iPhone App

Community Member

Cisco IPSec VPN Client to LAN Connectivity

Clinton, I changed the configs as you requested but I still didn't have any successs getting access to the LAN.

Community Member

Cisco IPSec VPN Client to LAN Connectivity

You can issue the following two commands on the ASA and then try to ping a device from the client that is connected to VPN:

debug crypto ipsec

term mon

Please post results.

Community Member

Cisco IPSec VPN Client to LAN Connectivity

Clinton, I appreciate your help with this issue. I was able to resolve the issue using the

crypto isakmp nat-traversal 30 command. Thanks again!

CreatePlease to create content