Showing results for 
Search instead for 
Did you mean: 

Remote access VPN Issue


Hi, We have an issue where by we connect to various customers and the Cisco IPSEC remote access works fine from our LAN through an ASA5505 to a customer site.

We have 1 customer that we have some issues with. We can connect  from the LAN through to the customers VPN, authenticate and establish a tunnel but in we cannot pass traffic. When we try from outside of the office on a public internet connection the VPN works fine. ANy ideas what could cause this issue?

  Below is a copy of the config:

interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x

object-group network Offsite-Authorised-VPNPoints
network-object x.x.x.x
network-object x.x.x.x
network-object x.x.x.x
network-object x.x.x.x
network-object x.x.x.x
network-object x.x.x.x

object-group network Onsite-Authorised-VPNPoints
object-group service VPNports
service-object udp eq isakmp
service-object tcp eq 10000
service-object udp eq 4500
service-object gre
service-object esp
service-object tcp eq pptp

access-list INSIDE extended permit tcp host eq 445
access-list INSIDE extended deny object-group Blocked-MS-ports any any
access-list INSIDE extended permit object-group VPNports object-group Onsite-Authorised-VPNPoints object-group Offsite-Authorised-VPNPoints
access-list INSIDE extended permit tcp object-group Outbound-SMTP-Servers any eq smtp
access-list INSIDE extended deny tcp any eq smtp
access-list INSIDE extended permit ip any
access-list INSIDE extended deny ip any any

global (outside) 1 interface
nat (inside) 1
static (outside,inside) tcp www 8800 netmask
static (inside,outside) 203.x.x.x netmask dns
static (inside,outside) 203.x.x.x netmask dns
static (inside,outside) 203.x.x.x netmask dns
static (inside,outside) 203.x.x.x netmask dns
access-group INSIDE in interface inside
access-group OUTSIDE in interface outside
route outside 203.x.x.x 1

crypto isakmp nat-traversal 30

class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 1024
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect pptp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect tftp
  inspect ipsec-pass-thru


Jennifer Halim
Cisco Employee
Cisco Employee

Most likely the VPN server has not had NAT-T enabled, hence it is using ESP packet for Phase 2.

When you are connecting from the outside, it doesn't go through a PAT device, hence it works just fine.

Find out if NAT-T is enabled on the VPN server and enable it.

Scott Conklin

Another possibility is that, since you say that this remote access connection works fine for other customers, it is possible that your local LAN subnet is the same as the remote end LAN Subnet, for example if your LAN is, and the remote LAN is the same, when you connect via VPN Client, when you attempt to access resources on the remote LAN, your local machine thinks you are trying to access resources on your local subnet, so it never makes it over the RA VPN tunnel.  This would explain it working from a public Internet connection, but not within your office.

I did think of this and got it checked. Thansk

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: