Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member



I need a help. It´s my first time configuring an ASA FIREWALL and have some trouble to find out. When a finshed the VPN configuration everything is working fine,  IP from windows server dhcp, user authentication with radius, but I have a question Why I can´t ping any host from Inside and another office where I created an route???

follow the config.

hostname ciscoasa


enable password 6U3abDgKXIPEI3sD encrypted

passwd 2KFQnbNIdI.2KYOU encrypted




interface Ethernet0/0

nameif inside

security-level 100

ip address


interface Ethernet0/1

nameif outside

security-level 0

ip address dhcp setroute


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0


no nameif

no security-level

no ip address



ftp mode passive

clock timezone BRST -3

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list VPN_Funcionarios standard permit

access-list inside_nat0_outbound extended permit ip any 255.255.255                                                                                        .128

access-list outside_nat0_outbound extended permit ip                                                                                      8 any

access-list inside_access_in extended permit ip any                                                                                       

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp deny any outside

no asdm history enable

arp timeout 14400

global (inside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

route outside 201.x.x.x 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server VPNTOTALBR protocol radius

aaa-server VPNTOTALBR (inside) host

timeout 5

key ******

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128                                                                                        -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256                                                                                        -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

telnet timeout 5

ssh inside

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption 3des-sha1 aes128-sha1

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy VPNTOTALBR internal

group-policy VPNTOTALBR attributes

dns-server value

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-lock value VPNTOTALBR

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_Funcionarios

username admin password BxbZW5I.NuwPZrmP encrypted privilege 15

username totalbr password Jm66i5yb9WnTmMbG encrypted privilege 15

tunnel-group VPNTOTALBR type remote-access

tunnel-group VPNTOTALBR general-attributes

authentication-server-group VPNTOTALBR

default-group-policy VPNTOTALBR


tunnel-group VPNTOTALBR ipsec-attributes

pre-shared-key *


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns migrated_dns_map_1


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

policy-map TrafficVPN-policy


service-policy global_policy global

prompt hostname context

Everyone's tags (2)
Cisco Employee


what pool of address do you assign to the VPN client? it needs to be a unique subnet.

if you are assigning to the vpn client, then the following route needs to be removed:

route inside 1

CreatePlease login to create content