Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN can access internet but not internal network

I have ASA 5540

here is my vpn config

access-lisst VPNRA extended permit ip 172.17.1.0 255.255.255.0 10.0.0.0 255.255.255.0

ip loacl pool AAA 10.0.0.10-10.0.0.254 mask 255.255.255.0

nat (inside) 0 acces-list VPNRA

vpn-tunnel-protocol IPsec

When I connect to VPN, I can access the internet. But I can not access or ping anything that is in the internal network.

3 REPLIES

Re: VPN can access internet but not internal network

Did you use Split-tunneling..?

vpn-tunnel-protocol IPsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test

access-list test standard permit 172.17.1.0.255.255.255.0 -->internal LAN subnet

hth

MS

New Member

Re: VPN can access internet but not internal network

ip local pool AAA 10.17.70.10-10.17.70.254 mask 255.255.255.0

access-list VPNRA extended permit ip 172.0.0.0 255.0.0.0 172.0.0.0 255.0.0.0

access-list splittunnel standard permit 172.0.0.0 255.0.0.0

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

still unable to connect the internal network, use packet tracer, and fail at VPN nat. On the internal Layer 3 switch, we add a static route, 10.17.70.0 255.255.255.0 10.0.0.2(the ASA Interface).

New Member

Re: VPN can access internet but not internal network

do you have a NAT exemption rule that bypasses the LAN subnet to VPN pool from being selected to nat?

Check the commands below:

access-list Private_nat0_outbound remark SSL VPN traffic exemption

access-list Private_nat0_outbound extended permit ip LOCAL-LAN 255.0.0.0 VPN-SSL 255.255.255.0

nat (Private) 0 access-list Private_nat0_outbound

nat (Public) 0 LOCAL-LAN 255.0.0.0

*LOCAL-LAN is "name 10.0.0.0 LOCAL-LAN"

*VPN-SSL is "name 10.32.2.x VPN-SSL" which is the vpn pool

Hope that helps.

(please rate the comment if you found it useful)

250
Views
0
Helpful
3
Replies