VPN users cannot access all resources

User is able to connect, get's assigned an IP, we can see them connected
via ASDM, they can't access anything in our network.


Check the following:

When you try to send the traffic check the output of "sh cry ips her" to make sure packages encrypted/decrypted by slices.

If it isn't...

May be that NAT - T is not configured.

Check the configuration of:

ISAKMP crypto nat - t

SH run all sysopt--> should show sysopt connection permit VPN


Add the command

management-access inside

And try to PING IP address of the VPN client ASA inside.

We will consider here...


Tags: Cisco Security

Similar Questions

  • AnyConnect VPN users cannot access remote subnets?

    I googled this until blue in the face without result.  I don't understand why Cisco this so difficult?  When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices.  What should I do to allow my anyconnect vpn clients access to my remote sites?

    Cisco 5510 8.4


    What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of VPN network.

    In addition to routing, you must have configured for each remote site and the VPN pool NAT0

    Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this

    object-group network to REMOTE SITES





    network of the VPN-POOL object subnet

    NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL

    The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.

    Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.

    My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)

    Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?


  • VPN users cannot access Tunnel

    Hi all

    I have a problem, I have 2 sites both with ASA 5520, they are both connected via a site to site VPN.

    It works very well all users in site A can access resources in site B and vice versa.

    The problem comes when a user connects to a remote user VPN site has they cannot access or anything in site B same ping if the FW them delivers an ip address in the range for the site.

    Im sure there is something simple that I missed.

    Thank you

    If the VPN Client pool is in the same subnet as the site of A LAN, then you are probably missing just the following:

    (1) check if you have divided political tunnel, and site-B LAN is included in the ACL split tunnel.

    (2) configure 'same-security-traffic permit intra-interface' on the site A ASA.

    If the above has been configured, please share configuration the two ASA to further check where it is.

  • Remote VPN users cannot access tunnel from site to site

    Cisco ASA5505.

    I have a tunnel of site-to-site set up from our office to our Amazon AWS VPC.  I'm not a network engineer and have spent way too much time just to get to this point.

    It works very well since within the office, but users remote VPN can not access the tunnel from site to site.  All other remote access looks very good.

    The current configuration is here: https://gist.github.com/pmac72/f483ea8c7c8c8c254626

    Any help or advice would be greatly appreciated.  It is probably super simple for someone who knows what they're doing to see the question.

    Hi Paul.

    Looking at your configuration:

    Remote access:

    internal RA_GROUP group policy
    RA_GROUP group policy attributes
    value of server DNS
    Protocol-tunnel-VPN IPSec
    value of Split-tunnel-network-list Split_Tunnel_List

    permit same-security-traffic intra-interface
    type tunnel-group RA_GROUP remote access
    attributes global-tunnel-group RA_GROUP
    address RA_VPN_POOL pool
    Group Policy - by default-RA_GROUP
    IPSec-attributes tunnel-group RA_GROUP
    pre-shared key *.
    local pool RA_VPN_POOL - IP mask

    Site to site:


    card crypto outside_map 1 match address acl-amzn
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 AWS_TUNNEL_1_IP AWS_TUNNEL_2_IP
    card crypto outside_map 1 set of transformation transformation-amzn
    I recommend you to use a local IP address pool with a different IP address that deals with the inside interface uses, now you are missing NAT are removed from the IP local pool to the destination of the site to site:
    NAT_EXEMPT list of ip access allow
    NAT (outside) 0-list of access NAT_EXEMPT
    Now, there's a dynamically a NAT exempt allowing traffic to go out and are not translated.
    I would like to know how it works!
    Please don't forget to rate and score as correct the helpful post!
    Kind regards
    David Castro,
  • Win 7 VPN client cannot access remote resources beyond the VPN server

    I have a Win 7 laptop with work and customer Win 7 VPN set up, and through it that I can access everything allowed resources on the remote network.

    I built a new computer, set up the Win 7 client with the exact same parameters everywhere, connected to the VPN with success, but can not access any of the resources on the remote network that I can on my laptop.

    Win 7 64 bit SP 1

    I did research online and suggestions have already had reason of my new set up.  In addition, I have a second computer that I've set up the VPN client, and I'm having the same problem.  VPN connects successfully, but is unable to access the resources.

    Tested with firewall off the coast.

    Troubleshooting Diagnostic reports: your computer seems to be configured correctly, distance resources detected, but not answered do not.

    I created another VPN client on the new computer to another remote network and everything works perfectly.

    Remember the old VPN connection to the remote network that does not work on the new computer works perfectly on Win 7 64 bit laptop computer.

    So, what do I find also different between identical configurations "should be" where we work and two new machines is not?

    It must be something stupid.


    This question is more suited for a TechNet audience. I suggest you send the query to the Microsoft TechNet forum. See the link below to do so:

    Please let us know if you have more queries on Windows.

  • Why my VPN clients cannot access network drives and resources?

    I have a cisco asa 5505 configured to be a VPN gateway. I can dial using the anyconnect VPN client. The remote user is assigned an IP address to my specifications. However... The remote user cannot access network such as disks in network resources or the fax server. I've done everything I can to set the right settings NAT and ACLs, but in vain. I write my config... If someone can track down the problem. It would be appreciated!

    : Saved


    ASA Version 8.2 (5)


    ciscoasa hostname

    Cisco domain name

    activate the password xxxxxxxxxxxxx

    passwd xxxxxxxxxxxxxxxxx

    names of

    name 68.191.xxx.xxx outdoors


    interface Ethernet0/0

    switchport access vlan 2


    interface Ethernet0/1


    interface Ethernet0/2


    interface Ethernet0/3


    interface Ethernet0/4


    interface Ethernet0/5


    interface Ethernet0/6


    interface Ethernet0/7


    interface Vlan1

    nameif inside

    security-level 100



    interface Vlan2

    nameif outside

    security-level 0

    IP address outside


    passive FTP mode

    DNS domain-lookup outside

    DNS lookup field inside

    DNS server-group DefaultDNS server name

    Cisco domain name

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    object-group Protocol TCPUDP

    object-protocol udp

    object-tcp protocol

    object-group network obj -

    FREE access-list extended ip NAT allow

    NAT-FREE permits all ip extended access list

    FREE access-list extended ip NAT allow any

    Extended access list-NAT-FREE enabled a whole icmp

    allow any scope to an entire ip access list

    allow any scope to the object-group TCPUDP an entire access list

    allow any scope to an entire icmp access list

    inside_access_in of access allowed any ip an extended list

    inside_access_in list extended access allow TCPUDP of object-group a

    inside_access_in list extended access permit icmp any one

    outside_access_in of access allowed any ip an extended list

    outside_access_in list extended access allow TCPUDP of object-group a

    outside_access_in list extended access permit icmp any one

    Standard access list DefaultRAGroup_splitTunnelAcl allow

    access extensive list ip inside_nat0_outbound allow

    inside_nat0_outbound list extended access permit icmp any one

    inside_nat0_outbound_1 of access allowed any ip an extended list

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    mask - IP local pool KunduVPN

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400


    Global 1 interface (outside)

    NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

    NAT (inside) 1

    Access-group outside_access_in in interface outside

    inside_access_in access to the interface inside group

    Route inside 1

    Route inside outdoor 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http inside

    http outdoors

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

    Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    Crypto ca trustpoint ASDM_TrustPoint0

    registration auto

    name of the object CN = ciscoasa

    Keypairs xxx


    Configure CRL


    quit smoking

    crypto ISAKMP allow outside

    crypto ISAKMP allow inside

    crypto ISAKMP policy 10

    authentication crack

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 20

    authentication rsa - sig

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 30

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 40

    authentication crack

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 50

    authentication rsa - sig

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 60

    preshared authentication

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 70

    authentication crack

    aes encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 80

    authentication rsa - sig

    aes encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 90

    preshared authentication

    aes encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 100

    authentication crack

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 110

    authentication rsa - sig

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 120

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 130

    authentication crack

    the Encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 140

    authentication rsa - sig

    the Encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 150

    preshared authentication

    the Encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    dhcpd outside auto_config


    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    SSL-trust outside ASDM_TrustPoint0 point


    allow outside

    allow inside

    SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

    enable SVC

    tunnel-group-list activate

    internal DefaultRAGroup group strategy

    attributes of Group Policy DefaultRAGroup

    value of DNS server

    VPN-tunnel-Protocol svc webvpn

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl

    Cisco by default field value

    attributes of Group Policy DfltGrpPolicy

    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn


    SVC request enable

    internal KunduVPN group strategy

    attributes of Group Policy KunduVPN

    WINS server no

    value of DNS server

    VPN-tunnel-Protocol svc webvpn

    Cisco by default field value

    username xxxx

    username xxxxx

    VPN-group-policy DfltGrpPolicy

    attributes global-tunnel-group DefaultRAGroup

    address VPNIP pool

    Group Policy - by default-DefaultRAGroup

    IPSec-attributes tunnel-group DefaultRAGroup

    pre-shared key *.

    tunnel-group DefaultRAGroup ppp-attributes

    ms-chap-v2 authentication

    type tunnel-group KunduVPN remote access

    attributes global-tunnel-group KunduVPN

    address (inside) VPNIP pool

    address pool KunduVPN

    authentication-server-group (inside) LOCAL

    Group Policy - by default-KunduVPN

    tunnel-group KunduVPN webvpn-attributes

    enable KunduVPN group-alias

    allow group-url https://68.191.xxx.xxx/KunduVPN


    class-map inspection_default

    match default-inspection-traffic



    type of policy-card inspect dns preset_dns_map


    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options


    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call


    : end

    don't allow no asdm history


    What is the IP address of the hosts/servers LAN Gateway?

    If this is not the ASA 'inside' interface IP address then I assume that the problem with VPN is simply routing.

    For example, if your hosts/servers LAN wireless LAN gateway router then the following would happen to your Clients VPN connections.

    • Forms of customers login VPN users through configuring wireless routers static PAT (Port Forward) to interface "inside" ASA
    • Client VPN sends traffic through the VPN to ASA and again the host of the server or LAN.
    • Host/server LAN sees the connection from a network other than the LAN ( and therefore to forward traffic to the default gateway that would likely be the wireless router.
    • Wireless router has no route to the network (VPN Pool) and therefore uses its default route to the external network to forward traffic.
    • Client VPN host never received the traffic back as transmitted sound on the external network and abandoned by the ISP

    So if the above assumption is correct, then you would at least need a configuration of the road on the wireless router that tells the device to transfer traffic to the network to the gateway IP address (which is the SAA)

    I would like to know if the installation is as described above.


  • ASA VPN connection cannot see all subnets

    I'm new to the ASA and I have a problem with our remote users. When people access vpn, they don't see a couple subnets on the network. I looked at the ASA and he can see and communicate with subnets, but when you vpn in them is not reachable. All these connections are connections from admin to admin privlages. Anyone know why the ASA can see subnets, but the admin vpn users cannot?

    You compare your ACL split tunnel and your table routing, but only for networks that are relevant to you and you must have access to and are not outside the old configuration. You should also ensure that these networks can route traffic from the pool of vpn.

  • VPN clients cannot access to the vlan


    I just changed my flat lan to a virtual LAN environment multi, but now I need help to get to my VPN back working again as the VPN user can access servers that are not on the vlan 'door '.  I've read enough to know that it is probably associated with NAT, but I'm not sure where to put this information.

    Does go in the NAT, associated with the E0 interface (outgoing internet gateway), to the vlan10 (vlan router is actually on) or can I create a new one and apply it to the crypto ipsec and isakmp side of things that use VPN users?

    My network is configured as such...

    VPN client - Router1811 - split trunk - C3550 - 12G - shared - resources multiple C3550s - servers/Wstns

    The router subnet as all switches, VLAN is set up through the 12 G and all other switches as vtp "vtp clients", including the router.  The user can get to the 10 subnet and any server on it, but not to the"farm" on the subnet

    I noticed Federico has been working on something very similar to this... but any help would be appreciated.

    Thank you, Don

    Hi Don,

    Please mark this discussion as resolved if there is no other problem with this VPN.

    See you soon,.


  • Cannot open email in Hotmail via Firefox. I have Vista installed on the pc and Windows 7 on the laptop, but cannot access all the features of Hotmail.

    Cannot open email in Hotmail via Firefox. I have Vista installed on the pc and Windows 7 on the laptop, but cannot access all the features of Hotmail. I tried to clear the cache and restart Firefox, but I still cannot use Hotmail.

    Not this problem when I go to Internet Explorer.

    Hello, it was noted that the foxit pdf plugin is causing this issue. You can disable this plugin in firefox > addons > plugin until what foxit offers a patch/update for the plugin.

  • Error message: Windows cannot access the specified device path and the second user cannot access the internet

    Original title: I have two users on Vista. We get to the top with windows can not access the specified device path.etc. The other has no problem

    The second user cannot access the internet. Can't access window appears. The other user is not problems.

    Hi Rickravel,

    1. what type of account you use?

    2. This only happens when you access Internet?

    3. when the problem started?

    4. you remember to make changes to the computer before this problem?

    Step 1:

    You can start in safe mode with network and see if the problem occurs in the account.

    You can see the following link to start in safe mode with network.

    Start your computer in safe mode

    Note: Restart the computer to boot into normal mode.

    Step 2:

    If you use Internet explorer, then you can try to disable add ons and check if it helps:

    Run Internet explorer with no Add - ons. Steps to open Internet with no mode of modules:

    a. click on start

    (b) in the search box, type in Internet explore

    c. Select Internet (no add-on mode)

    If you were able to access the Web site without any problems, then the module may cause the error.

    You can read the following article and try the steps to activate the modules individually determine which Add - ons may be the cause of the problem.

    How the modules of the browser affect my computer?

    Hope this information is useful.

  • Can not connect - when entering a password message "the service user profile service has no logon. Failed to load profile \User' cannot access start menu to apply the options.

    Can not connect - when entering a password message "the service user profile service has no logon. Failed to load profile \User' cannot access start menu to apply the options.


    1st thing to try is the system in safe mode restore to before the problem


    Windows Vista

    Using the F8 method:

    1. Restart your computer.
    2. When the computer starts, you will see your computer hardware are listed. When you see this information begins to tap theF8 key repeatedly until you are presented with theBoot Options Advanced Windows Vista.
    3. Select the Safe Mode option with the arrow keys.
    4. Then press enter on your keyboard to start mode without failure of Vista.
    5. To start Windows, you'll be a typical logon screen. Connect to your computer and Vista goes into safe mode.
    6. Do whatever tasks you need and when you are done, reboot to return to normal mode.

    If that does not solve it read more

    read the tutorial below


    When you log on a Windows Vista-based or a Windows 7 computer by using a temporary profile, you receive the following error message:

    The user profile Service has not logon. User profile cannot be loaded.


    Your user profile was not loaded correctly! You have been logged on with a temporary profile.


    If you tried to log on to Windows and received an error message telling you that your user profile is damaged, you can try to fix it. You will need to create a new profile and then copy the files from the existing to the new profile. You must have at least three user accounts on the computer to perform these operations, including the new account that you created.


  • The VPN Clients cannot access any internal address

    Without a doubt need help from an expert on this one...

    Attempting to define a client access on an ASA 5520 VPN that was used only as a

    Firewall so far. The ASA has been recently updated to Version 7.2 (4).

    Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot

    ping any address on internal networks, or even the inside interface of the ASA.

    (I hope) Relevant details:

    (1) the tunnel seems to be upward. Customers are the authenticated by the SAA and

    are able to connect.

    (2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it

    appears that the packets are décapsulés and decrypted, but NOT encapsulated or

    encrypted (see the output of "sh crypto ipsec his ' home).

    (3) by the other related posts, we've added commands associated with inversion of NAT (crypto

    ISAKMP nat-traversal 20

    crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our


    (4) we tried encapsulation TCP and UDP encapsulation with experimental client

    profiles: same result in both cases.

    (5) if I (attempt) ping to an internal IP address of the connected customer, the

    real-time log entries ASA show the installation and dismantling of the ICMP requests to the

    the inner target customer.

    (6) the capture of packets to the internal address (one that we try to do a ping of the)

    VPN client) shows that the ICMP request has been received and answered. (See attachment


    (7) our goal is to create about 10 VPN client of different profiles, each with

    different combinations of access to the internal VLAN or DMZ VLAN. We do not have

    preferences for the type of encryption or method, as long as it is safe and it works: that

    said, do not hesitate to recommend a different approach altogether.

    We have tried everything we can think of, so any help or advice would be greatly

    Sanitized the ASA configuration is also attached.


    Thank you!

    It should be the last step :)

    on 6509

    IP route

    and ASA

    no road inside

  • 10.1.7 drive Windows xp, cannot access all just to get the hotfix package unrecognized message

    Drive 10.1.7 with windows xp, cannot access all or delete, just to get this patch package unrecognized messages. Either Runtime error help please

    Uninstall the damaged drive using http://labs.adobe.com/downloads/acrobatcleaner.html

    Reinstall the latest version of http://get.adobe.com/reader/enterprise/

  • New user cannot access any area of activity

    Hi, I use Discoverer Desktop and administrator of and I have a new user cannot access any sector of activity, I tried to create a new business district to test and access the Security window on the Client of Directors for this user and my user (works very well!), for my user that this new BA shows normally on the desktop but for new user the selection of business on Assistant workbook area shows nothing. It's something to measure new users to access the space business?

    Published by: user2997975 on 06/04/2009 07:19

    As suggested by Rod it sounds as if you may have several EUL in the same prod73. Try to connect again, but this time go to tools | Options and click the EUL. It is the last tab on the right side and you may need to click the button to the right (next to connection) several times before seeing the EUL tab.

    Under the EUL tab, make sure that the EUL you want to connect is selected. If it is bad you will need to change it, click on the OK button and then reconnect to the database using file | Connect to the database.

    This time you must point to the right EUL.

    Best wishes

  • Cannot access network resources - Cisco VPN client

    Please see attached the network topology.

    I can connect using the Cisco VPN client and access to all resources of the network

    I can't ping / access to all hosts on the network

    Any ideas?

    Thanks for the help in advance


    Quite correct.

    Please add has the access list:

    CPA list standard access allowed

Maybe you are looking for