cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
514
Views
0
Helpful
4
Replies

Easy VPN Clients cannot access internet

jake.kappus
Level 1
Level 1

Same ASA, different problem. Thanks for reading.

We have an ASA that we just setup. We have 4 remote offices that all have DSL connections with DHCP addresses on the outside interfaces. The remote offices are running Pix 501's with either 6.3(4) or 6.3(5). We experience the problem on either IOS image.

The Pix's create the tunnel successfully and can connect to resources on the other end of the tunnel. But the users then cannot connect to their local network and the internet.

I'm pretty sure this is a split-tunnel issue on the head end. But I've been staring at this config for 3 days and I can't figure out where the problem right is. I'm hoping another set of eyes can point out the problem.

I have tried adding at static route to the remote Pix to their local ISP's gateway with no luck.

Thanks!

Jake

4 Replies 4

JBDanford2002
Level 1
Level 1

One of the things you said was that users cannot access their own LAN. That bothers me. Especially if the PIX in front of them is establishing the tunnel. Are they not able to ping addresses on their own segment? Where is the client end DNS server located?

Yes, they can ping addresses on their own subnet. They use a DNS server on the tunnel, which is making me think about getting rid of the split tunnel and have them access the internet through the tunnel.

Do you know if they are able to resolve internet addresses via the DNS server they are currently using?

Can they ping to addresses on the internet?

If you have a chance to have a user test take a look at the connection table "sh conn" and see if there are any internet bound connections.

Do you have a sample config of what your configuring on the spokes?

I do not have a config on the spokes due to I can't connect to them at the moment (seperate problem).

I have the same problem using the VPN Client, so I know it's not on the client end.

They can resolve addresses, but pings do not return responses.

I see connections, but not from the subnet that the VPN Clients are using. Strangely enough, I do see my internal IP (I'm connecting from home), in the connection table. I'd think it'd have at least been NAT'd from my router at home. Weird...

Thanks for the help...especially on Father's Day.

Jake

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: