Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
5
Helpful
8
Replies

VPN Clients Internet Browsing

adcorbett_2
Level 1
Level 1

‎04-24-2008 05:36 AM - edited ‎02-21-2020 03:41 PM

I have set up in a lab right now a ASA 5520 with a live internet connection. I have a 2611 haning off the inside interface, and a 2950 switch into which I have an AD server plugged in. I have VPN set up for Cisco VPN client. I can connect up just fine, get an address from the address pool and connect all over the lab. I can not, however get to the internet. If I try to ping or browse, it resolves the name to an address, but times out trying to get there. I can get to the internet from the lab PC's no problem. It's probably something simple I am missing, any help would be great. I am attaching the ASA config. Thanks!

Labels:
Preview file
10 KB
0 Helpful
8 Replies 8

acomiskey
Level 10
Level 10

‎04-24-2008 05:47 AM

Since you have already defined nat for the vpn clients, I assume you don't want to split tunnel...

global (Internet) 1 72.X.X.X netmask 255.255.255.255

nat (Internet) 1 0.0.0.0 0.0.0.0

To complete the hairpin, you are missing...

same-security-traffic permit intra-interface

0 Helpful

adcorbett_2
Level 1
Level 1
In response to acomiskey

‎04-24-2008 06:02 AM

Yeah, we are trying to avoid split-tunneling. Thanks, I added that but it's still not working.

0 Helpful

acomiskey
Level 10
Level 10
In response to adcorbett_2

‎04-24-2008 06:12 AM

Here's the cisco doc...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

You should be ok. Check the client, status -> statistics -> route details. Make sure you have 0 0 under secured routes.

0 Helpful

adcorbett_2
Level 1
Level 1
In response to acomiskey

‎04-24-2008 06:56 AM

Ok, I will take a look at that thanks. In the meantime, I am attaching my router and switch configs, just incase I missed somethig there, and if I did..I will be embarassed :-)

Lab subnet - 192.168.2.0

VPN Pool - 192.168.200.0

Preview file
3 KB
0 Helpful

adcorbett_2
Level 1
Level 1
In response to adcorbett_2

‎04-24-2008 07:41 AM

Ok, I went through that document and still nothing, also I checked the client stats and do have 0 0 under secured routes.

0 Helpful

adcorbett_2
Level 1
Level 1
In response to adcorbett_2

‎04-24-2008 11:31 AM

Anyone else want to take a crack at this? I have rebuilt the whole ASA and here is the cleaned up config, but alas, still no interet for VPN users. When I ping a website, it resolves the name to an IP but times out.

Thanks

Preview file
9 KB
0 Helpful

acomiskey
Level 10
Level 10
In response to adcorbett_2

‎04-24-2008 11:56 AM

A few more things to try. Have you considered upgrading from 7.1.2?

Also, this route statement is not correct. Not that this will fix your internet problem however.

route Inside 192.168.0.0 255.255.0.0 192.168.210.1 1

Your vpn pool is part of 192.168.0.0/16 and is not reachable via 192.168.210.1.

This also shouldn't matter but try...

nat (Internet) 1 192.168.200.0 255.255.255.0

adcorbett_2
Level 1
Level 1
In response to acomiskey

‎04-25-2008 04:51 AM

All set..after adding

No nat (Internet) 1 0.0.0.0 0.0.0.0

nat (Internet) 1 192.168.200.0 255.255.255.0

clear xlate

clear local

everything is working now. Thanks for the input!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents