Thanks John,

I added crypto isakmp nat-traversal to the config. It still is not working correctly. Since adding this statement, when I ping the "inside" interface 192.168.20.2, I get icmp replies from the "outside" interface.

Hi,

You need to use access-list to by pass nat

use nat 0 with access-list

I'm sending u a sample config as per ur network

backup ur current config

remove ur vpn config

and use this template just as template

.......................................

access-list 101 extended permit ip 192.168.20.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list 102 extended permit ip 192.168.20.0 255.255.255.0 192.168.200.0 255.255.255.0

ip local pool vpnpool1 192.168.200.1-192.168.200.254 mask 255.255.255.0

nat (inside) 0 access-list 102

group-policy test internal

group-policy test attributes

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 101

sysopt connection permit-ipsec

username test password cisco encrypted privilege 0

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

address-pool vpnpool1

default-group-policy test

tunnel-group test ipsec-attributes

pre-shared-key cisco#123

.......................................

let me know if it works

pl don't forget to rate this post if it works

Regards,

Hi Schakra,

I modified the configuration per your instructions but still can't access anything on the inside interface. Split tunnel works as I can access the Internet when connected. But still have no access to anything on the "inside" interface.

Attached is the new configuration.

Thank You

where is this comman?

sysopt connection permit-ipsec

if not work

also try by removing

nat (inside) 1 0.0.0.0 0.0.0.0

r u trying to access other than 192.168.20.0 network,then u may need to explicitly allow them

Regards,

I've entered both of the following commands and neither show in the config:

sysopt connection permit-ipsec

sysopt connection permit-vpn

I also tried removing

nat (inside) 1 0.0.0.0 0.0.0.0

Still no luck in accessing the 192.168.20.0/24 subnet on the inside interface.

I have the same problem entering the command sysopt connection permit-ipsec.

if you do permit-ipsec ?, permit-ipsec is not an option.

I'm trying to do a spoke to spoke vpn solution and without connection permit-ipsec in my spoke asa5505's Pakets are rejected.

The sysopt connection permit-ipsec command is not be displayed in the output of the show running-config sysopt command on ASA version 7.x

but is displayed in PIX version 7.x. ASA only displays sysopt connection permit-vpn.

In PIX version 7.x, the sysopt connection permit-ipsec and in ASA version 7.x, the sysopt connection permit-vpn command resolves the one way traffic issue

Sourav