Showing results for 
Search instead for 
Did you mean: 

vpn ipsec client to asa 5505

hi everybody,

i ve configured vpn ipsec with wizard but my ip address assigned by pool not reach the lan network

lan network: /24

pool network: /24

any idea?


best regards


I wouldn't use, if you don't own it.

Please post config.



I think on the client you need to add routes, since you are using pool that aren't part of the lan.

Also is not private address..



hi, i changed the configuration and the pool now is part of network, but my remote user authenticated in vpn dont talk with other device in lan network.

ASA Version 8.4(2)


hostname ciscoasa

enable password DsjsJeE3SH4dWdaR encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


ftp mode passive

object network obj_any


object network server_ip


object service tcp_80

service tcp destination eq www

object service tcp_5632

service tcp destination eq 5632

object service tcp_3389

service tcp destination eq 3389

description remote_desktop

object service tcp_443

service tcp destination eq https

description https

object network ip_outside


object network ip_inside


object network NETWORK_OBJ_192.168.0.0_24


object network NETWORK_OBJ_192.168.0.128_27


access-list outside_access_in extended permit tcp any host eq www

access-list outside_access_in extended permit tcp any host eq 5632

access-list outside_access_in extended permit object tcp_3389 any host

access-list sts_internal_splitTunnelAcl standard permit

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool pool_internal mask

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (outside,inside) source static any any destination static interface server_ip service tcp_80 tcp_80 unidirectional

nat (outside,inside) source static any any destination static interface server_ip service tcp_5632 tcp_5632 unidirectional

nat (outside,inside) source static any any destination static interface server_ip service tcp_3389 tcp_3389 unidirectional

nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.0.128_27 NETWORK_OBJ_192.168.0.128_27 no-proxy-arp route-lookup


object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


group-policy sts_internal internal

group-policy sts_internal attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sts_internal_splitTunnelAcl

username xxxxxx password yyyyyyyyyy encrypted privilege 0

username xxxxxx attributes

vpn-group-policy sts_internal

tunnel-group sts_internal type remote-access

tunnel-group sts_internal general-attributes

address-pool pool_internal

default-group-policy sts_internal

tunnel-group sts_internal ipsec-attributes

ikev1 pre-shared-key *****


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options


service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2


: end



Use a different subnet for the VPNPool, like

Implement apropriate accesslists to permit traffic between and

If needed exempt nat between and


uhm ok test the configuration.

i ve another problem:

when i connect in vpn and authenticate with asa and it assign the address, i cannot browsing from my pc!

my pc lose the gateway and all traffic is routed on vpn!

how can do to split the traffic? one for the vpn and one to the internet not cripted?

thx and sorry for my english

To begin with, make the changes I suggested.

Which vpn-client to you run? I would suggest running AnyConnect.


i use vpn client version

the connection work, asa assign the address, then i must add the acl ok, but why cannot browsing with my pc?

must add route on my pc in windows?



No, you should not need that. Have you changed the IP-pool?


yes i changed the pool and asa assign the new address, but i v same problem:

- dont talk with lan network

- my home pc, dont browsing after connect vpn




The only thing that I can think about the acl for split tunneling is not configured properly, hence the reason all traffic will go through tunnel..

and I don't see the nat exempt, altough I am not using newer code, but looks like you NAT you lan to the /27 address here.?



i ve used wizard to create vpn ipsec and probably wrong something,

though the wizard is so easy.

have you same sample of cinfiguration?



the split-tunnel acl is look ok and the group-policy also looks good.

Can you verify if you connect to the vpn-client, what permitted network it takes ?

is it or blank ?

usually I put access-list as permit ip any, but yours using standard one, not sure if that's the issue here....

Maybe you can try change the acl to extended one...



Recognize Your Peers
Content for Community-Ad