Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN IP Pool routing

Hi - I have an ASA5520 with IPSEC and SSL VPN setup. All works fine if I am content with accessing the inside network, but I also want to access the network in the subnet called "store". The security level is set to 90 on this interface but I cannot reach any resources there from any VPN connection. I thought the VPN client was dumped into the inside security level of 100, so therefore security should flow downhill. I guess I was wrong and was wondering if anyone could set me on the right path. The config is listed below. THANKS!!!!!


interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 65.x.x.8


interface GigabitEthernet0/1

nameif inside

security-level 100

ip address


interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address


interface GigabitEthernet0/3

nameif store

security-level 90

ip address


interface Management0/0


nameif management

security-level 100

ip address


dns server-group DefaultDNS


object-group network Inside-all

description Private Lab Networks



access-list outside_access_in extended permit ip any host log debugging

access-list inside_access_in extended permit ip any any

access-list store_access_in extended permit ip any any

access-list inside_nat0_outbound extended permit ip any

access-list outside_cryptomap extended permit ip any

access-list outside_cryptomap_1 extended permit ip any

access-list store-internal remark store internal network

access-list store-internal standard permit

ip local pool vpnpool mask

global (outside) 1 interface

global (store) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

nat (management) 0

static (dmz,outside) 65.x.x.7 netmask

static (inside,store) netmask

static (dmz,inside) netmask

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group store_access_in in interface store

route outside 1

route inside 1

route store 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool vpnpool

tunnel-group vpntunnel type ipsec-ra

tunnel-group vpntunnel general-attributes

address-pool vpnpool

default-group-policy vpntunnel

tunnel-group vpntunnel ipsec-attributes

pre-shared-key *



port 444

enable outside

enable store

svc image disk0:/sslclient-win- 1

svc enable

: end

New Member

Re: VPN IP Pool routing

i think you would need another acl (VPN to store) and NAT 0 for store

access-list store_nat0_outbound ip any

nat (store) 0 access-list store_nat0_outbound

If i am not wrong those statements should help getting the VPN clients to the store interface.

New Member

Re: VPN IP Pool routing

I have the same problem of communication to LAN. Although, the nat0 setup is already there (details here attached):

access-list 101 extended permit ip

nat (inside) 0 access-list 101

SSL VPN details:

- LAN:

- SSL VPN pool:

- Tunnel Group: Test-WebVPNGroup

My environment:

- Cisco ASA 5520 v. 7.2(2)19,

- ASDM v. 5.2(2)

- SVC client: sslclient-win-

- Desktop: Win XP

please assist

New Member

Re: VPN IP Pool routing

problem resolved by adding the reverse nat0 acl (ip pool -> lan):

access-list 101 extended permit ip

CreatePlease to create content