Negotiation of ISAKMP happens on udp 500 or 4500(If there is any natting device between client and ASA), But when the tunnel comes up the data becomes ESP (IP 50). So if any device between client and asa allows udp 500 but blocks ESP, the tunnel will come up on udp ports, but when client will try to pass some traffic through the tunnel it will become ESP and will get routed to public ip address of the ASA. But if that esp packet is blocked somewhere in between the ASA will never recieve the packets.

There are some device which doesn't do nat for the ESP packets. Currently NAT traversal is already enabled on the ASA so the tunnel may come up udp 4500

So make sure that udp 4500 and esp are not blocked between the client and ASA.

Regards

Ashish

Can you please share the latest full config of your ASA.

Hello jennifer.

Glad to hear from you.

Well i have enclosed the vpn client status screenshot after connecting.

Please note my vpn clients connect and then then cannot reach my servers in

the INSIDE network.

well here is my ASA config output

==============================================

ASA Version 7.2(3)

!

interface Management0/0

nameif VPN-TEST

security-level 0

ip address 192.168.92.1 255.255.255.252

  mtu VPN-TEST 1500

!

interface GigabitEthernet0/1

description local lan

nameif inside

security-level 100

ip address 192.168.93.249 255.255.255.0

same-security-traffic permit inter-interface

access-list corpvpnsiem_splitTunnelAcl standard permit any

access-list VPN-TEST_access_in extended permit ip any any

access-group VPN-TEST_access_in in interface VPN-TEST

ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240

ip verify reverse-path interface inside

icmp permit any inside

icmp permit any VPN-TEST

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA

crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map

crypto map VPN-TEST_map interface VPN-TEST

crypto isakmp enable VPN-TEST

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal  90

crypto isakmp ipsec-over-tcp port 10000

group-policy corpvpnsiem internal

group-policy corpvpnsiem attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1

username siecorpvpn password Zp283iAZlCNs9TWt encrypted

username root password lPtjCRUHSIvUjngf encrypted privilege 15

tunnel-group corpvpnsiem type ipsec-ra

tunnel-group corpvpnsiem general-attributes

address-pool local-pool

default-group-policy corpvpnsiem

tunnel-group corpvpnsiem ipsec-attributes

192.168.100.0 255.255.255.0 1/0 via 192.168.93.250, inside

=============================================================

Just to summarize.

ASA VPN INTERFACE =  192.168.92.1

ASA VPN POOL = 192.168.96.1 - 192.168.96.14

ASA INSIDE INTERFACE = 192.168.93.249 -----CONNECTED TO------ 192.168.93.250 CISCO 3750
DESTINATION SUBNET TO REACH FROM VPN POOL IS = 192.168.100.0/30

ASA : HERE there is already a route present  for 192.168.100.0 via 192.168.93.250
CISCO 3750 : HERE there is already a route present for vpn pool (192.168.96.0) via 192.168.93.249 in the 3750

Please advice.

Hassan

I apologize if you already answered this in earlier posts but can your ASA ping the servers that the VPN clients are trying to access? Also, have you tried actually specifying the 192.168.100.x/24 network in the split tunnel access-list to see if that works. I see that you are permitting any but worth a try at this point.

Hi Hassan,

Did you check the connectivity from a different location.

Regards

Ashish