Internet access with VPN Client to ASA and full tunnelling

Answered Question
Mar 28th, 2008

I'm in the process of migrating our Concentrator to our new ASA 5520s. The Concentrator was used purely for VPN Client connections and I've got the easy ones out of the way. However, I cannot, for whatever reason, get internet access through our corporate network when I have profiles with full tunneling.

I've included the config file, with lots of public IP information and site to site tunnels omitted. I've left all the pertinent stuff about the group-policies and tunnel-groups that concern VPN client connectivity. The address range I'm using for the VPN clients is 172.16.254.0/24. The group I'm trying to get internet access working with is "adsmgt" and the full tunnel part to our entire network is fine.

As always, any help is appreciated. Thank you!

I have this problem too.
0 votes
Correct Answer by husycisco about 8 years 8 months ago

"Huseyin..good to see you back bud"

Thanks m8, good to see you too. Nice badge btw :). Having some trouble with AAA and CSACS, opened some questions but none has a response.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00f96

Any comments appreciated m8.

"may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it"

Well this is right on the spot!, I totally missed it. I assume you wont need the "tunneled" option.

Correct Answer by JORGE RODRIGUEZ about 8 years 8 months ago

Huseyin..good to see you back bud.., yes try those sugesstiong from Huseyin..if they checked to be ok we'll try different approach..

Im thinking too, because is full tunnel (no split ) Jim's ASA may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it.. but Jim first try Huseyin suggestions.

Rgds

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
JORGE RODRIGUEZ Fri, 03/28/2008 - 16:26

Jim,

For your Cisco RA clients you need to nat vpn pool network for outbound internet( vpntestpool)

e.i

nat (outside) 1 172.16.254.0

same principle for 192.168.255.100.0 network IF this net is also RA allocated IP pool.(ippool)

nat (outside)1 192.168.255.100.0

Try that and let us know ..

HTH

Rgds

Jorge

jimgrumbles Sat, 03/29/2008 - 08:40

I thought I had tried that earlier but tried it just now without any luck, here is the exact statement I used:

nat (outside) 1 172.16.254.0 255.255.255.0

Still can't access any public web sites.

husycisco Sat, 03/29/2008 - 09:07

Hi Jim

Can you please post the latest config after Jorge's modifications?

Also please verify the following

*In VPN client, right-click VPN lock symbol at right-bottom>Click statistics

*Click Router Details tab. Make sure "0.0.0.0" is listed in right-pane.

Also try adding a "tunneled" word at the end of your default static route in ASA.

Dont forget to issue "clear xlate" after amending NAT statements.

Regards

Correct Answer
JORGE RODRIGUEZ Sat, 03/29/2008 - 10:53

Huseyin..good to see you back bud.., yes try those sugesstiong from Huseyin..if they checked to be ok we'll try different approach..

Im thinking too, because is full tunnel (no split ) Jim's ASA may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it.. but Jim first try Huseyin suggestions.

Rgds

Jorge

Correct Answer
husycisco Sat, 03/29/2008 - 12:34

"Huseyin..good to see you back bud"

Thanks m8, good to see you too. Nice badge btw :). Having some trouble with AAA and CSACS, opened some questions but none has a response.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00f96

Any comments appreciated m8.

"may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it"

Well this is right on the spot!, I totally missed it. I assume you wont need the "tunneled" option.

jimgrumbles Sat, 03/29/2008 - 13:21

Success!

same-security-traffic permit intra-interface

This is what did the trick.

Thank you two very much, these forums are great!

JORGE RODRIGUEZ Sat, 03/29/2008 - 14:18

Jim, glad all is good, and thank you for rating both.

Huseyin, once I get back tonight I'll jump into that thread of yours and see if I can think of anything..

Rgds

Jorge

Actions

This Discussion