06-15-2007 05:50 PM - edited 03-11-2019 03:31 AM
Same ASA, different problem. Thanks for reading.
We have an ASA that we just setup. We have 4 remote offices that all have DSL connections with DHCP addresses on the outside interfaces. The remote offices are running Pix 501's with either 6.3(4) or 6.3(5). We experience the problem on either IOS image.
The Pix's create the tunnel successfully and can connect to resources on the other end of the tunnel. But the users then cannot connect to their local network and the internet.
I'm pretty sure this is a split-tunnel issue on the head end. But I've been staring at this config for 3 days and I can't figure out where the problem right is. I'm hoping another set of eyes can point out the problem.
I have tried adding at static route to the remote Pix to their local ISP's gateway with no luck.
Thanks!
Jake
06-17-2007 06:31 AM
One of the things you said was that users cannot access their own LAN. That bothers me. Especially if the PIX in front of them is establishing the tunnel. Are they not able to ping addresses on their own segment? Where is the client end DNS server located?
06-17-2007 10:23 AM
Yes, they can ping addresses on their own subnet. They use a DNS server on the tunnel, which is making me think about getting rid of the split tunnel and have them access the internet through the tunnel.
06-17-2007 10:57 AM
Do you know if they are able to resolve internet addresses via the DNS server they are currently using?
Can they ping to addresses on the internet?
If you have a chance to have a user test take a look at the connection table "sh conn" and see if there are any internet bound connections.
Do you have a sample config of what your configuring on the spokes?
06-17-2007 12:15 PM
I do not have a config on the spokes due to I can't connect to them at the moment (seperate problem).
I have the same problem using the VPN Client, so I know it's not on the client end.
They can resolve addresses, but pings do not return responses.
I see connections, but not from the subnet that the VPN Clients are using. Strangely enough, I do see my internal IP (I'm connecting from home), in the connection table. I'd think it'd have at least been NAT'd from my router at home. Weird...
Thanks for the help...especially on Father's Day.
Jake
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: