Showing results for 
Search instead for 
Did you mean: 

VPN users can not communicate with the internal network

Hi all,

I have two ASA 5515 configured in failover (active / standby).

I used the ASDM wizard to create connections through ipsec cisco client.

Currently users are able to connect but can not do a ping to anywhere inside the network.

The ping request is received from the internal client but the internal client can not communicate with the remote user.

The ping fail also directly from the ASA.

When the remote client is connected an entry is added to the routing table:

S 255 255 255 255 [1/0] via <ip of the ISP>, "WAN"

as if that IP was reachable directly from the Internet.

I tried changing the settings of the NAT but in no way I can make them communicate.

The ultimate goal would be to create different users with different access permissions to the LAN and the other subnets in the company.

Thanks in advance for your answer

Chris Izatt

How is the NAT configued? Sounds like it is confused on what IP it should be sending that to. Also can you give us more config info.

This is my situation:

3 interfaces connected

- WAN (public IP)

- LAN (

- Remote LAN devices connect via wireless (,, etc.)

Here is an extract from the command sh run:

interface GigabitEthernet0/0

nameif Internal

security-level 100

ip address standby


interface GigabitEthernet0/1

nameif WAN

security-level 0

ip address


interface GigabitEthernet0/2

nameif Radio

security-level 50

ip address

object network NETWORK_OBJ_10.10.10.128_28


access-list VPN-MY_splitTunnelAcl standard permit

ip local pool Pool-VPN-MY mask

nat (Internal,WAN-Infostrada) source static any any destination static NETWORK_OBJ_10.10.10.128_28 NETWORK_OBJ_10.10.10.128_28 no-proxy-arp

group-policy VPN-MY internal

group-policy VPN-MY attributes

dns-server value

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-MY_splitTunnelAcl

username password encrypted privilege 0

username attributes

vpn-group-policy VPN-MY

tunnel-group VPN-MY type remote-access

tunnel-group VPN-MY general-attributes

address-pool Pool-VPN-MY

default-group-policy VPN-MY

tunnel-group VPN-MY ipsec-attributes

ikev1 pre-shared-key *****

The ultimate goal would be that a user is connected to the VPN-MY can communicate with the LAN and the Remote LAN.

Then create other tunnel in which users can access only to some remote LAN (maybe this is possible via ACL)