Showing results for 
Search instead for 
Did you mean: 

ASA 8.2 ipsec-ra cisco vpnclient tunnel established, traffic won't pass

please disregard being used as our internal private network

phase 1 and 2 - no problems

vpnclient gets correct ip from pool and dns/etc

traffic will not pass through tunnel.

debug icmp shows something like this when i ping from vpnclient thru asa to lan

ICMP echo request from outside: to inside: ID=768 seq=2048 len=32

vpnclient statistics shows packets sent incrementing, but packets received won't increment.

vpnclient is 5.x

I have sysopt connection permit-vpn enabled even though show run sysopt doesn't display anything

Thanks in advance!!!!


ASA Version 8.2(1)


hostname ciscoasa

enable password P8mtLTam1zoMz9X6 encrypted

passwd P8mtLTam1zoMz9X6 encrypted



interface Ethernet0/0

nameif inside

security-level 100

ip address


interface Ethernet0/1

nameif outside

security-level 0

ip address a.b.66.14


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0


nameif management

security-level 100

ip address



boot system disk0:/asa821-k8.bin

ftp mode passive

access-list inside_nat0_outbound extended permit ip

access-list outside_access_in extended permit tcp any any eq ssh

access-list vpnclient-splittunnel standard permit

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool vpnclient-pool mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

route outside a.b.66.13 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http management

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map vpnclient_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic vpnclient_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet inside

telnet timeout 5

ssh inside

ssh outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


group-policy vpnclient-policy internal

group-policy vpnclient-policy attributes

dns-server value

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnclient-splittunnel

username dlindsey password 7U2c32fEqsZtcCv0 encrypted privilege 15

tunnel-group driveline type remote-access

tunnel-group driveline general-attributes

address-pool vpnclient-pool

default-group-policy vpnclient-policy

tunnel-group driveline ipsec-attributes

pre-shared-key *


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

  message-length maximum client auto

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp


service-policy global_policy global

prompt hostname context


: end

Jennifer Halim
Cisco Employee

A couple of things to add:

policy-map global_policy

   class inspection_default

     inspect icmp

management-access inside

Then from the VPN Client, try to see if you can ping the ASA inside interface (

If you can, then that's good.

You would need to check the host that you are trying to ping to see if the default gateway is the ASA inside interface ( and also there is no personal firewall, etc on the host that might be preventing inbound access.


I have a similar problem.  I have 1 user able to log in to the ipsec-ra VPN using the cisco VPN client and access the servers, but another user is not able to access the servers.  Did you manage to solve the problem ? If yes, what did you do ?

Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad