https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770077#M1053912 <HTML><HEAD></HEAD><BODY><P>Any thing on the internal network is not reachable</P></BODY></HTML> Sun, 15 Jul 2007 08:40:04 GMT mkmzaman 2007-07-15T08:40:04Z https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770072#M1053904 <P>When a remote vpn client connects he can ssh to dmz network but cannot able to do ssh on the internal network.</P><P>There are 2 types of VPN are installed. First is Site-site and the second is remote vpnclient. please help me out.</P> Fri, 21 Feb 2020 09:36:18 GMT https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770072#M1053904 mkmzaman 2020-02-21T09:36:18Z https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770073#M1053908 <HTML><HEAD></HEAD><BODY><P>Could you post a sanitized config from the ASA? </P><P></P><P>Is the traffic between the inside network and the vpn client subnet exempted from nat?</P><P></P><P>Is there any split tunnel configured?</P></BODY></HTML> Wed, 11 Jul 2007 13:33:02 GMT https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770073#M1053908 acomiskey 2007-07-11T13:33:02Z https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770074#M1053909 <HTML><HEAD></HEAD><BODY><P>access-list inside_outbound_nat0_acl extended permit ip INSIDE-NET 255.255.255.0 192.168.70.0 255.255.255.0 </P><P>access-list dmz_outbound_nat0_acl extended permit ip DMZ-NET 255.255.255.0 192.168.70.0 255.255.255.0 </P><P>access-list dmz_outbound_nat0_acl extended permit ip any host 10.1.19.4 </P><P>nat (inside) 0 access-list inside_outbound_nat0_acl</P><P>nat (inside) 1 INSIDE-NET 255.255.255.0</P><P>nat (dmz) 0 access-list dmz_outbound_nat0_acl</P><P>nat (dmz) 1 DMZ-NET 255.255.255.0</P><P></P><P>Split tunnel is enabled</P><P></P></BODY></HTML> Wed, 11 Jul 2007 13:40:03 GMT https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770074#M1053909 mkmzaman 2007-07-11T13:40:03Z https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770075#M1053910 <HTML><HEAD></HEAD><BODY><P>please find attached the configs</P><P></P><P> </P><P></P></BODY></HTML> Wed, 11 Jul 2007 13:53:58 GMT https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770075#M1053910 mkmzaman 2007-07-11T13:53:58Z https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770076#M1053911 <HTML><HEAD></HEAD><BODY><P>The config looks ok. The inside network is exempted from nat to the vpn client subnet and is also included in the split tunnel acl. Can you ping any devices on the inside network or is it specifically ssh traffic?</P></BODY></HTML> Fri, 13 Jul 2007 18:50:28 GMT https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770076#M1053911 acomiskey 2007-07-13T18:50:28Z https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770077#M1053912 <HTML><HEAD></HEAD><BODY><P>Any thing on the internal network is not reachable</P></BODY></HTML> Sun, 15 Jul 2007 08:40:04 GMT https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770077#M1053912 mkmzaman 2007-07-15T08:40:04Z https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770078#M1053913 <HTML><HEAD></HEAD><BODY><P>I tried to SSH to Internal network, the syslog gives the following:</P><P>3 Jul 16 2007 18:13:40 713042 IKE Initiator unable to find policy: Intf 1, Src: 192.168.60.10, Dst: 192.168.70.8</P><P></P><P>Please help me out.</P><P></P></BODY></HTML> Tue, 17 Jul 2007 03:53:42 GMT https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770078#M1053913 mkmzaman 2007-07-17T03:53:42Z https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770079#M1053914 <HTML><HEAD></HEAD><BODY><P>Try this...</P><P></P><P>crypto map outside_map interface outside</P><P>crypto isakmp identity address</P><P>no crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map</P><P></P><P></P><P>This is all you should need. I would clean out all the rest.</P><P></P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac</P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map</P><P>crypto map outside_map interface outside</P><P>crypto isakmp identity address</P><P>crypto isakmp enable outside</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash md5</P><P> group 2</P><P> lifetime 86400</P><P>crypto isakmp policy 30</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P></BODY></HTML> Tue, 17 Jul 2007 11:50:29 GMT https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770079#M1053914 acomiskey 2007-07-17T11:50:29Z https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770080#M1053915 <HTML><HEAD></HEAD><BODY><P>Crypto map access list was conflicting with the site-site vpn. i have changed that, it started working.</P><P>thanks for the support</P></BODY></HTML> Tue, 24 Jul 2007 08:43:54 GMT https://community.cisco.com/t5/network-security/vpn-client-is-cannot-able-to-connect-to-the-internal-network/m-p/770080#M1053915 mkmzaman 2007-07-24T08:43:54Z