Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1173
Views
0
Helpful
6
Replies

VPN on 5520

Leo Bruni
Level 1
Level 1

‎02-02-2011 07:28 AM

VPN 5520 can establish vpn session but cannot access anything on internal network. Suggestions?

Labels:
0 Helpful
6 Replies 6

andamani
Cisco Employee
Cisco Employee

‎02-02-2011 08:19 AM

Hi Leo,

What kind of vpn tunnel is it?

Do you have your interesting traffic defined in the crypto ACL and nat exempted??

Regards,

Anisha

- do rate helpful posts

0 Helpful

Leo Bruni
Level 1
Level 1
In response to andamani

‎02-02-2011 08:23 AM

IPsec tunnel. What specific commans are you refering to.

0 Helpful

hdashnau
Cisco Employee
Cisco Employee

‎02-02-2011 08:26 AM

To troubleshoot a generic problem like this, Id recommend the following troubleshooting steps:

--Check your syslogs on the ASA:

logging buffered debugging

logging buffer size 1000000

logging enable

show logg | include

--Check your nat settings. Do you have nat exemption for the VPN ip pool?

access-list nonat permit ip

nat (inside) 0 access-list nonat

If you are using 8.3, youll need to handle NAT for the VPN differently. See this link:

https://supportforums.cisco.com/docs/DOC-11639

--Check to see if you have an access-group blocking traffic:

show run | include access-group

show access-list

Are you permitting traffic sourced/destined to the VPN pool?

--Setup a continuous ping to an inside host that you should be able to reach and setup a packet capture on your inside interace:

access-list cap permit ip host host

access-list cap permit ip host host

cap cap access-list cap interface inside

--Setup a packet capture to see if the asa is dropping any packets:

cap asp type asp-drop all

show cap asp | include

--Setup a packet-tracer to see how the ASA processes this packet

packet-tracer input inside icmp 8 0 detailed

Hope this helps you identify the problem. Please remember to rate all posts that help you answer the problem and mark the question as resolved if your problem is addressed.

-heather

0 Helpful

hdashnau
Cisco Employee
Cisco Employee
In response to hdashnau

‎02-02-2011 08:29 AM

A few additional troubleshooting steps:

--Also check which tunnel-group and group-policy you come in on:

show vpn-sessiondb [svc, remote, webvpn]

svc=anyconnect

remote=ipsec

webvpn=clientless

--Check that group-policy to make sure your split tunnel-list includes the network you are trying to reach:

show run group-policy

You may see:

group-policy attributes

   split-tunnel-policy tunnelspecified

   split-tunnel-network value <---Make sure this ACL permits your inside network

0 Helpful

Leo Bruni
Level 1
Level 1
In response to hdashnau

‎02-02-2011 08:34 AM

I may have misled you about the problem. What is happening is that if a use

r VPns in from home they can establish a VPN connection but c

an not do anything on the network at work. Sorry about the misunder

staning. As a policy we do not allow split tunneling.

0 Helpful

hdashnau
Cisco Employee
Cisco Employee
In response to Leo Bruni

‎02-02-2011 08:53 AM

They troubleshooting steps I provided still apply to your situation. Give them a shot.

Also, again, remember to rate posts if they help you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents