Showing results for 
Search instead for 
Did you mean: 

Client VPN can gets connected but can't ping lan's server

CISCO ASA 5520 -K9

ASA Version 8.4(4)1


hostname LExfielawASA5520


interface GigabitEthernet0/0

nameif outside

security-level 0

ip address a.b.c.d


interface GigabitEthernet0/1

nameif inside

security-level 100

ip address


interface GigabitEthernet0/2


no nameif

no security-level

no ip address


interface GigabitEthernet0/3


no nameif

no security-level

no ip address


interface Management0/0


no nameif

no security-level

no ip address


ftp mode passive

dns server-group DefaultDNS


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network inside-network


object network vpn1-address


object network vpn2-address


object-group network vpn

network-object object vpn1-address

network-object object vpn2-address

access-list 50 standard permit any

access-list 60 extended permit icmp any any

access-list 60 extended permit ip any any

access-list 60 extended permit tcp any any

access-list 60 extended permit udp any any

access-list split-tunnel extended permit ip

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool vpn-pool mask

ip local pool vpn-pool-yuangong mask

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static inside-network inside-network destination static vpn vpn

nat (inside,outside) source dynamic inside-network interface

access-group 60 in interface outside

route outside x.x.x.x 1

route inside 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set test esp-aes esp-sha-hmac

crypto dynamic-map dyn1 10 set ikev1 transform-set test

crypto dynamic-map dyn1 10 set reverse-route

crypto map crymap 10 ipsec-isakmp dynamic dyn1

crypto map crymap interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

crypto isakmp reload-wait

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

console timeout 0

dhcpd auto_config inside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1


group-policy clientvpn1 internal

group-policy clientvpn1 attributes

dns-server value

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

username aaa password iEykhCQ1TmA9FWQG encrypted

tunnel-group test type remote-access

tunnel-group test general-attributes

address-pool vpn-pool-yuangong

default-group-policy clientvpn1

tunnel-group test ipsec-attributes

ikev1 pre-shared-key *****


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp


prompt hostname context

call-home reporting anonymous


profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily


: end

cisco client vpn 5.007.0440-k9 +win7 X64

Client can connects ASA server and get ip address(172.168.31.X),but can't ping ASA inside interface ip address and other servers in lan .

Could you do me a favor to fix this issue?please tell me the wrong,thanks!


Client VPN can gets connected but can't ping lan's server


Can you try the following changes to your configurations and try again

Make new Split Tunnel ACL

access-list split-tunnel-acl standard permit

Remove the old Split Tunnel ACL and add new one under the "group-policy"

group-policy clientvpn1 attributes

no split-tunnel-network-list value split-tunnel

split-tunnel-network-list value split-tunnel-acl

Add ICMP Inspection on the ASA

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

- Jouni


Client VPN can gets connected but can't ping lan's server

Hi,my friend,

I try it and it still can't work .I think the new ACL is  the same as old .

Who can help me fix it ?