Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1033
Views
7
Helpful
7
Replies

Internet access with VPN Client to ASA and full tunnelling

Go to solution
jimgrumbles
Level 1
Level 1

‎03-28-2008 03:25 PM - edited ‎02-21-2020 03:38 PM

I'm in the process of migrating our Concentrator to our new ASA 5520s. The Concentrator was used purely for VPN Client connections and I've got the easy ones out of the way. However, I cannot, for whatever reason, get internet access through our corporate network when I have profiles with full tunneling.

I've included the config file, with lots of public IP information and site to site tunnels omitted. I've left all the pertinent stuff about the group-policies and tunnel-groups that concern VPN client connectivity. The address range I'm using for the VPN clients is 172.16.254.0/24. The group I'm trying to get internet access working with is "adsmgt" and the full tunnel part to our entire network is fine.

As always, any help is appreciated. Thank you!

Labels:
Preview file
56 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to husycisco

‎03-29-2008 10:53 AM

Huseyin..good to see you back bud.., yes try those sugesstiong from Huseyin..if they checked to be ok we'll try different approach..

Im thinking too, because is full tunnel (no split ) Jim's ASA may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it.. but Jim first try Huseyin suggestions.

Rgds

Jorge

Jorge Rodriguez

View solution in original post

0 Helpful

Go to solution
husycisco
Level 7
Level 7
In response to JORGE RODRIGUEZ

‎03-29-2008 12:34 PM

"Huseyin..good to see you back bud"

Thanks m8, good to see you too. Nice badge btw :). Having some trouble with AAA and CSACS, opened some questions but none has a response.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00f96

Any comments appreciated m8.

"may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it"

Well this is right on the spot!, I totally missed it. I assume you wont need the "tunneled" option.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎03-28-2008 04:26 PM

Jim,

For your Cisco RA clients you need to nat vpn pool network for outbound internet( vpntestpool)

e.i

nat (outside) 1 172.16.254.0

same principle for 192.168.255.100.0 network IF this net is also RA allocated IP pool.(ippool)

nat (outside)1 192.168.255.100.0

Try that and let us know ..

HTH

Rgds

Jorge

Jorge Rodriguez

Go to solution
jimgrumbles
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎03-29-2008 08:40 AM

I thought I had tried that earlier but tried it just now without any luck, here is the exact statement I used:

nat (outside) 1 172.16.254.0 255.255.255.0

Still can't access any public web sites.

0 Helpful

Go to solution
husycisco
Level 7
Level 7
In response to jimgrumbles

‎03-29-2008 09:07 AM

Hi Jim

Can you please post the latest config after Jorge's modifications?

Also please verify the following

*In VPN client, right-click VPN lock symbol at right-bottom>Click statistics

*Click Router Details tab. Make sure "0.0.0.0" is listed in right-pane.

Also try adding a "tunneled" word at the end of your default static route in ASA.

Dont forget to issue "clear xlate" after amending NAT statements.

Regards

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to husycisco

‎03-29-2008 10:53 AM

Huseyin..good to see you back bud.., yes try those sugesstiong from Huseyin..if they checked to be ok we'll try different approach..

Im thinking too, because is full tunnel (no split ) Jim's ASA may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it.. but Jim first try Huseyin suggestions.

Rgds

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
husycisco
Level 7
Level 7
In response to JORGE RODRIGUEZ

‎03-29-2008 12:34 PM

"Huseyin..good to see you back bud"

Thanks m8, good to see you too. Nice badge btw :). Having some trouble with AAA and CSACS, opened some questions but none has a response.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00f96

Any comments appreciated m8.

"may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it"

Well this is right on the spot!, I totally missed it. I assume you wont need the "tunneled" option.

0 Helpful

Go to solution
jimgrumbles
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎03-29-2008 01:21 PM

Success!

same-security-traffic permit intra-interface

This is what did the trick.

Thank you two very much, these forums are great!

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to jimgrumbles

‎03-29-2008 02:18 PM

Jim, glad all is good, and thank you for rating both.

Huseyin, once I get back tonight I'll jump into that thread of yours and see if I can think of anything..

Rgds

Jorge

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents