Internet access with VPN Client to ASA and full tunnelling

Answered Question
Mar 28th, 2008
User Badges:

I'm in the process of migrating our Concentrator to our new ASA 5520s. The Concentrator was used purely for VPN Client connections and I've got the easy ones out of the way. However, I cannot, for whatever reason, get internet access through our corporate network when I have profiles with full tunneling.


I've included the config file, with lots of public IP information and site to site tunnels omitted. I've left all the pertinent stuff about the group-policies and tunnel-groups that concern VPN client connectivity. The address range I'm using for the VPN clients is 172.16.254.0/24. The group I'm trying to get internet access working with is "adsmgt" and the full tunnel part to our entire network is fine.


As always, any help is appreciated. Thank you!



Correct Answer by husycisco about 8 years 12 months ago

"Huseyin..good to see you back bud"

Thanks m8, good to see you too. Nice badge btw :). Having some trouble with AAA and CSACS, opened some questions but none has a response.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00f96

Any comments appreciated m8.


"may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it"

Well this is right on the spot!, I totally missed it. I assume you wont need the "tunneled" option.

Correct Answer by JORGE RODRIGUEZ about 8 years 12 months ago

Huseyin..good to see you back bud.., yes try those sugesstiong from Huseyin..if they checked to be ok we'll try different approach..


Im thinking too, because is full tunnel (no split ) Jim's ASA may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it.. but Jim first try Huseyin suggestions.


Rgds

Jorge


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
JORGE RODRIGUEZ Fri, 03/28/2008 - 16:26
User Badges:
  • Green, 3000 points or more

Jim,


For your Cisco RA clients you need to nat vpn pool network for outbound internet( vpntestpool)


e.i

nat (outside) 1 172.16.254.0


same principle for 192.168.255.100.0 network IF this net is also RA allocated IP pool.(ippool)


nat (outside)1 192.168.255.100.0




Try that and let us know ..


HTH

Rgds

Jorge

jimgrumbles Sat, 03/29/2008 - 08:40
User Badges:

I thought I had tried that earlier but tried it just now without any luck, here is the exact statement I used:


nat (outside) 1 172.16.254.0 255.255.255.0


Still can't access any public web sites.


husycisco Sat, 03/29/2008 - 09:07
User Badges:
  • Gold, 750 points or more

Hi Jim

Can you please post the latest config after Jorge's modifications?

Also please verify the following

*In VPN client, right-click VPN lock symbol at right-bottom>Click statistics

*Click Router Details tab. Make sure "0.0.0.0" is listed in right-pane.


Also try adding a "tunneled" word at the end of your default static route in ASA.

Dont forget to issue "clear xlate" after amending NAT statements.


Regards

Correct Answer
JORGE RODRIGUEZ Sat, 03/29/2008 - 10:53
User Badges:
  • Green, 3000 points or more

Huseyin..good to see you back bud.., yes try those sugesstiong from Huseyin..if they checked to be ok we'll try different approach..


Im thinking too, because is full tunnel (no split ) Jim's ASA may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it.. but Jim first try Huseyin suggestions.


Rgds

Jorge


Correct Answer
husycisco Sat, 03/29/2008 - 12:34
User Badges:
  • Gold, 750 points or more

"Huseyin..good to see you back bud"

Thanks m8, good to see you too. Nice badge btw :). Having some trouble with AAA and CSACS, opened some questions but none has a response.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00f96

Any comments appreciated m8.


"may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it"

Well this is right on the spot!, I totally missed it. I assume you wont need the "tunneled" option.

jimgrumbles Sat, 03/29/2008 - 13:21
User Badges:

Success!


same-security-traffic permit intra-interface


This is what did the trick.


Thank you two very much, these forums are great!

JORGE RODRIGUEZ Sat, 03/29/2008 - 14:18
User Badges:
  • Green, 3000 points or more

Jim, glad all is good, and thank you for rating both.


Huseyin, once I get back tonight I'll jump into that thread of yours and see if I can think of anything..


Rgds

Jorge

Actions

This Discussion