02-02-2011 07:28 AM
VPN 5520 can establish vpn session but cannot access anything on internal network. Suggestions?
02-02-2011 08:19 AM
Hi Leo,
What kind of vpn tunnel is it?
Do you have your interesting traffic defined in the crypto ACL and nat exempted??
Regards,
Anisha
- do rate helpful posts
02-02-2011 08:23 AM
IPsec tunnel. What specific commans are you refering to.
02-02-2011 08:26 AM
To troubleshoot a generic problem like this, Id recommend the following troubleshooting steps:
--Check your syslogs on the ASA:
logging buffered debugging
logging buffer size 1000000
logging enable
show logg | include
--Check your nat settings. Do you have nat exemption for the VPN ip pool?
access-list nonat permit ip
nat (inside) 0 access-list nonat
If you are using 8.3, youll need to handle NAT for the VPN differently. See this link:
https://supportforums.cisco.com/docs/DOC-11639
--Check to see if you have an access-group blocking traffic:
show run | include access-group
show access-list
Are you permitting traffic sourced/destined to the VPN pool?
--Setup a continuous ping to an inside host that you should be able to reach and setup a packet capture on your inside interace:
access-list cap permit ip host
access-list cap permit ip host
cap cap access-list cap interface inside
--Setup a packet capture to see if the asa is dropping any packets:
cap asp type asp-drop all
show cap asp | include
--Setup a packet-tracer to see how the ASA processes this packet
packet-tracer input inside icmp
Hope this helps you identify the problem. Please remember to rate all posts that help you answer the problem and mark the question as resolved if your problem is addressed.
-heather
02-02-2011 08:29 AM
A few additional troubleshooting steps:
--Also check which tunnel-group and group-policy you come in on:
show vpn-sessiondb [svc, remote, webvpn]
svc=anyconnect
remote=ipsec
webvpn=clientless
--Check that group-policy to make sure your split tunnel-list includes the network you are trying to reach:
show run group-policy
You may see:
group-policy
split-tunnel-policy tunnelspecified
split-tunnel-network value
02-02-2011 08:34 AM
I may have misled you about the problem. What is happening is that if a use
r VPns in from home they can establish a VPN connection but c
an not do anything on the network at work. Sorry about the misunder
staning. As a policy we do not allow split tunneling.
02-02-2011 08:53 AM
They troubleshooting steps I provided still apply to your situation. Give them a shot.
Also, again, remember to rate posts if they help you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide