Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


Help: Inside network access issue over IPSEC VPN


I have an issue accessing the inside network of my temple over IPSec VPN from my home network.  This only happens when I connect from my home networkusing Cisco ASA-5505. I have no problem accessing inside network of my temple if I use netgear router or Clear Hotspot instead of ASA-5505.  Here is the hardware detail:

At the temple, we are using Cisco ASA 5510 and we have so many IPSec site-to-site tunnels to different temple in the country.   Please see attached configuration for my home ASA5505.  I have verified that none of my home networks are overlapping the temple's networks.

Please help.

PatminASA-01# sh run

: Saved


ASA Version 8.2(5)


hostname PatminASA-01

enable password 1234xyz encrypted

passwd 1234xyz encrypted



interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1

switchport access vlan 3


interface Ethernet0/2

switchport access vlan 3


interface Ethernet0/3

switchport access vlan 3


interface Ethernet0/4

switchport access vlan 3


interface Ethernet0/5

switchport access vlan 3


interface Ethernet0/6

switchport access vlan 3


interface Ethernet0/7

switchport access vlan 3


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute


interface Vlan3

nameif inside

security-level 100

ip address


ftp mode passive

same-security-traffic permit inter-interface

access-list NONAT extended permit ip

access-list NONAT extended permit ip

access-list ST-SSL standard permit

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool IPP-SSL mask

ip local pool IPP-SEC mask

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1

nat (outside) 1

nat (inside) 0 access-list NONAT

nat (inside) 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TSSET-SEC esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN1-SEC 1 set transform-set TSSET-SEC

crypto dynamic-map DYN1-SEC 1 set reverse-route

crypto map MAP-SEC 1 ipsec-isakmp dynamic DYN1-SEC

crypto map MAP-SEC interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

telnet inside

telnet timeout 10

ssh inside

ssh timeout 10

console timeout 0

management-access inside

dhcpd auto_config outside


dhcpd address inside

dhcpd dns interface inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy GP-SSL internal

group-policy GP-SSL attributes

dns-server value

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ST-SSL

address-pools value IPP-SSL


  svc keep-installer installed

  svc rekey time 30

  svc rekey method ssl

  svc ask enable default svc timeout 20

username pinesh password 1234xyz encrypted

username pinesh attributes

service-type remote-access

tunnel-group PROF-SSL type remote-access

tunnel-group PROF-SSL general-attributes

default-group-policy GP-SSL

tunnel-group PROF-SSL webvpn-attributes

group-alias PATMIN-Office enable

tunnel-group TG-SEC type remote-access

tunnel-group TG-SEC general-attributes

address-pool IPP-SEC

tunnel-group TG-SEC ipsec-attributes

pre-shared-key 1234xyz


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options


service-policy global_policy global

prompt hostname context

call-home reporting anonymous


: end



Help: Inside network access issue over IPSEC VPN


Does ipsec tunnel is coming up, if not past sh cry isakmp , sh cry ipsec, debu cry isakmp  and debug cry ips

If its up check the routing.




Help: Inside network access issue over IPSEC VPN

Thanks Pranesh,

I haven't checked IPsec tunnel but I assumed that since I get successful connection to the VPN tunnel, the tunnel is up.  I have very limited knowledge about this; still learning the basics for CCNA certification.    The wiered thing is when I swap out ASA-5505 with home netgear router (at home), I don't have any problem accessing inside network at the temple.  Therefore, my assumption is something is wrong on my ASA-5505 config at home (the confg is pasted in intitial post.).  Please advise.

Again thank yo so much for your help.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here