inside: 10.10.10.254

outside: 98.x.x.x

we set up an internal address pool of 10.10.11.x for all vpn users. again, everything works just fine when a vpn user connects from the outside of our network (wireless in dmz or home) but when a vpn user connects while he is within our network (10.10.10.x), he can't get to the internal network.

John, thanks for the info, but still a bit unclear from above.

inside 10.10.10.0 understood

outside 98.x.x.x understood

RA vpn pool 10.10.11.0 understood

From your description RA VPN users connect ok and I do assume they get 10.10.11.0 addresses from vpn pool, you also indicate they can have access to all of 10.10.10.0 net resources in inside LAN

is this correct?

Now Im not to sure when you indicate :

but when a vpn user connects while he is within our network (10.10.10.x), he can't get to the internal network.

This is the part not clear, a vpn user is assume to come from the outside world so that user is not in your LAN , or are you implying that a user within your LAN VPNs outbound to other RA server outside and therefore cannot longer access the local LAN 10.10.10.x? or is it the VPN user coming from the outside connect ok but cannot access LAN resources ? if so this is simple to resolve but could please clarify this part we could perhaps understand what the actual problem is and assist you better.

Rgds

Jorge

thank you so much for your help Jorge.

"From your description RA VPN users connect ok and I do assume they get 10.10.11.0 addresses from vpn pool, you also indicate they can have access to all of 10.10.10.0 net resources in inside LAN

is this correct?"

yes correct.

"This is the part not clear, a vpn user is assume to come from the outside world so that user is not in your LAN , or are you implying that a user within your LAN VPNs outbound to other RA server outside and therefore cannot longer access the local LAN 10.10.10.x? or is it the VPN user coming from the outside connect ok but cannot access LAN resources ? if so this is simple to resolve but could please clarify this part we could perhaps understand what the actual problem is and assist you better. "

I am saying the following.

when a user connect to the ASA at home, everything works as supposed to. but when the same VPN user brings the same computer into our LAN and gets 10.10.10.0 IP and makes a connection to the same ASA via ASA's outside interface (98.x.x.x), the connection is successful but he can't get to any of 10.10.10.0 network.

does that clarify? thanks jorge again

John,

Understand now, Hmmm.. indeed strange, this is what we could do to try isolating the problem and try confirming some local connectivity.

since 10.10.10.0/24 is routed through the ASA firewall 10.10.10.254 as all hosts default gateway load your asdm real time log and note traffic while trying to ping from user labtop to any other hosts on the same 10.10.10.0/24 segment, I am sure you have probably checked but from the users labtop have you verify machine is getting proper 10.10.10.x address with correct mask and DG given from ASA DHCP, if ASA is your inside DHCP server go to ASA command lline and issue.

asa#show dhcpd binding - to confirm hosts IP assigement is there for

try pinging from the ASA itself towards that particular users 10.10.10.X address to confirm local connectivity from asa to labtop.

Also from the labtop take note of complete output of ipconfig : and note all its current adapter bindings .

c:\ipconfig /all

It seems this could be more of a settings issues on the machines but confirm above.

Also what ASA code version ? show ver

and what version os VPN client ?

Rgds

Jorge