Easy VPN Clients cannot access internet

Unanswered Question
Jun 15th, 2007
User Badges:

Same ASA, different problem. Thanks for reading.

We have an ASA that we just setup. We have 4 remote offices that all have DSL connections with DHCP addresses on the outside interfaces. The remote offices are running Pix 501's with either 6.3(4) or 6.3(5). We experience the problem on either IOS image.

The Pix's create the tunnel successfully and can connect to resources on the other end of the tunnel. But the users then cannot connect to their local network and the internet.

I'm pretty sure this is a split-tunnel issue on the head end. But I've been staring at this config for 3 days and I can't figure out where the problem right is. I'm hoping another set of eyes can point out the problem.

I have tried adding at static route to the remote Pix to their local ISP's gateway with no luck.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JBDanford2002 Sun, 06/17/2007 - 06:31
User Badges:

One of the things you said was that users cannot access their own LAN. That bothers me. Especially if the PIX in front of them is establishing the tunnel. Are they not able to ping addresses on their own segment? Where is the client end DNS server located?

jake.kappus Sun, 06/17/2007 - 10:23
User Badges:

Yes, they can ping addresses on their own subnet. They use a DNS server on the tunnel, which is making me think about getting rid of the split tunnel and have them access the internet through the tunnel.

JBDanford2002 Sun, 06/17/2007 - 10:57
User Badges:

Do you know if they are able to resolve internet addresses via the DNS server they are currently using?

Can they ping to addresses on the internet?

If you have a chance to have a user test take a look at the connection table "sh conn" and see if there are any internet bound connections.

Do you have a sample config of what your configuring on the spokes?

jake.kappus Sun, 06/17/2007 - 12:15
User Badges:

I do not have a config on the spokes due to I can't connect to them at the moment (seperate problem).

I have the same problem using the VPN Client, so I know it's not on the client end.

They can resolve addresses, but pings do not return responses.

I see connections, but not from the subnet that the VPN Clients are using. Strangely enough, I do see my internal IP (I'm connecting from home), in the connection table. I'd think it'd have at least been NAT'd from my router at home. Weird...

Thanks for the help...especially on Father's Day.



This Discussion