VPN Clients Internet Browsing

Unanswered Question
Apr 24th, 2008

I have set up in a lab right now a ASA 5520 with a live internet connection. I have a 2611 haning off the inside interface, and a 2950 switch into which I have an AD server plugged in. I have VPN set up for Cisco VPN client. I can connect up just fine, get an address from the address pool and connect all over the lab. I can not, however get to the internet. If I try to ping or browse, it resolves the name to an address, but times out trying to get there. I can get to the internet from the lab PC's no problem. It's probably something simple I am missing, any help would be great. I am attaching the ASA config. Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Thu, 04/24/2008 - 05:47

Since you have already defined nat for the vpn clients, I assume you don't want to split tunnel...

global (Internet) 1 72.X.X.X netmask

nat (Internet) 1

To complete the hairpin, you are missing...

same-security-traffic permit intra-interface

adcorbett_2 Thu, 04/24/2008 - 06:02

Yeah, we are trying to avoid split-tunneling. Thanks, I added that but it's still not working.

adcorbett_2 Thu, 04/24/2008 - 06:56

Ok, I will take a look at that thanks. In the meantime, I am attaching my router and switch configs, just incase I missed somethig there, and if I did..I will be embarassed :-)

Lab subnet -

VPN Pool -

adcorbett_2 Thu, 04/24/2008 - 07:41

Ok, I went through that document and still nothing, also I checked the client stats and do have 0 0 under secured routes.

adcorbett_2 Thu, 04/24/2008 - 11:31

Anyone else want to take a crack at this? I have rebuilt the whole ASA and here is the cleaned up config, but alas, still no interet for VPN users. When I ping a website, it resolves the name to an IP but times out.


acomiskey Thu, 04/24/2008 - 11:56

A few more things to try. Have you considered upgrading from 7.1.2?

Also, this route statement is not correct. Not that this will fix your internet problem however.

route Inside 1

Your vpn pool is part of and is not reachable via

This also shouldn't matter but try...

nat (Internet) 1

adcorbett_2 Fri, 04/25/2008 - 04:51

All set..after adding

No nat (Internet) 1

nat (Internet) 1

clear xlate

clear local

everything is working now. Thanks for the input!


This Discussion