Woops, copied an old ACL, correct split-tunnel list:

access-list Split_Tunnel_VDDnew extended permit ip 10.38.11.192 255.255.255.224 10.38.12.0 255.255.255.0

Hello Jesse.

You can use the standard ACL to specify the network behind the ASA.

Can you remove the NAT statement, please?

Sorry, should have mentioned it before but I'm fairly new to this.

Isn't the NAT statement mandatory since my external adres is bound to it?

Also what do you mean with standard ACL, or does NAT look at the standard ACL once you remove it?

Again sorry, I started doing ASA's and PIX's recently and find them awefully cryptic sometimes.

Jesse,

have a look here,

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2.

Hope this help.

Regards.

Andrea

Hi Andrea,

That's the ironic part, I followed that manual exactly. I even had our Senior Network Engineer take a loot at it and also said "Weird... it should work".

Therefor I have the feeling I'm missing something.

Can you provide all VPN configuration?

Have you set the default group policy when define the tunnel-group?

tunnel-group XXXXXXX general-attributes

default-group-policy VPNCLIENTS

Ok, thanks for the response, I am currently unable to log onto the ASA. I'll get back to you once I'm able to.

Hello Jesse,

Andrea advise ( Default-group-policy) should do it.

If that does not make a difference please post entire configuration.

Regards,

Hi Jesse,

The config looks fine. When you say it is not working - what exctly the issue? VPN clients unable to access the internal network? Few things you need to check...

1. nat 0 access-list for internal network to remote von client subnet.

2. same security traffic permit intra/inter interface allowed. (check the syntax for this command).

3. Route on internal routers that points the traffic to VPN subnets to ASA inside interface. (default should do as well).

hth

MS

Sorry for the long response, I'm at a different client today and not able to provide answers untill tomorrow.