cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1429
Views
0
Helpful
8
Replies

VPN/ASA clients can't get to the Internet.

nguyenvinnie
Level 1
Level 1

VPN clients can get to all internal servers/DMZ but not the Internet. This is the partial config of the ASA. TIA

VPN Pool 10.17.70.0

DMZ 192.168.100.0

Internal 172.0.0.0

-------------------------------------

access-list nonatdmz extended permit ip any 192.168.100.0 255.255.255.0

access-list nonatdmz extended permit ip 172.0.0.0 255.0.0.0 10.17.70.0 255.255.255.0

access-list splittunnel standard permit 172.0.0.0 255.0.0.0

global (Outside) 10 interface

global (Businesspartner) 10 interface

nat (Inside) 0 access-list nonatdmz

nat (Inside) 10 0.0.0.0 0.0.0.0

nat (DMZ) 10 0.0.0.0 0.0.0.0

1 Accepted Solution

Accepted Solutions

Vinnie, glad you are getting there.

to telnet to asa through vpn session you need to add this statement.

management-access inside

In this same link see split tunnel vs Allow local lan only access, you can learn the diferences and you will understand better your asa configuration pertaining to ra vpn.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

Jorge Rodriguez

View solution in original post

8 Replies 8

JORGE RODRIGUEZ
Level 10
Level 10

you need to nat vpn pool network for outbound internet.

e.i

nat (outside) 10 10.17.70.0

Jorge Rodriguez

Vinnie, just following up, have your problem been resolve by adding the nat statement for vpn network internet access..please let us know if problem still exist .

Rgds

Jorge

Jorge Rodriguez

After including the following line:

nat (Outside) 10 10.17.70.0

the problem still exists. When I tried ipconfig at the command prompt,the default gateway ip shows up as 10.17.70.1 which is non-existent.

-Vinnie

When the client connects via remote access VPN, its gateway will be its own IP that is assigned by the VPN gateway.

Bcz remote access VPN is point to point connection between client and server so there is no need to have gateway, client send all traffic to vpn gateway.

you need to make nat(inside) and global outside for the remote access client IP.

I am assuming that client are clients are coming from inside of firewall, if they are attached with the dmz side, make the nat(dmz).

bob.bartlett
Level 1
Level 1

It does not appear that our split tunnel is applied.

Also you need a NAT outside for the VPN Clients since that ASA sees them as outside entities. Use ASDM and look at the logging it is a very useful tool to clear up this problem.

Great news, we can browse the Internet after Splitunnel was implemented. What is Splitunnel anyway? We also have a new issue came up after Splitunnel was configured we're no longer be able to Telnet to the ASA

Current telnet configurations are as below.

telnet 10.17.70.0 255.255.255.0 Outside

telnet 172.17.0.0 255.255.0.0 Inside

Thanks for your great help.

Vinnie

Vinnie, glad you are getting there.

to telnet to asa through vpn session you need to add this statement.

management-access inside

In this same link see split tunnel vs Allow local lan only access, you can learn the diferences and you will understand better your asa configuration pertaining to ra vpn.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: