VPN works, no internet

Answered Question
Jul 22nd, 2008

My total configuration works on everything right now. BUT through VPN I can't get internet access. I read one user who only had to put his vpn on a different subnet mask. I tried that, and I lost access to the network drives I connect to. I have got to be able to connect to a network machine & internet simultaneously for 2 programs. PLease help - I know nothing about networking - I have to figure things out for myself. If you can give me advise, please keep a little on the simple side. When I do "add" things to see if they work, I'm not sure that I do it right, so please advise.

Thanks,

Jana

I have this problem too.
0 votes
Correct Answer by a.alekseev about 8 years 4 months ago

add to your config

access-list NO-NAT permit ip any 192.168.1.0 255.255.255.0

nat (inside) 0 access-list NO-NAT

access-list Split-VPN standard permit 192.168.0.0 255.255.0.0

group-policy templevpn attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split-VPN

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mswyldcat Tue, 07/22/2008 - 11:22

Tried this in every way, shape & fashion I know - looks easy, but didn't fix anything. Yes, everything works the way the article says it should, but I cannot ping or see the router or anything else on my network then. I do get a split tunnel, but can't connect to anything.

francisco_1 Tue, 07/22/2008 - 11:31

ok.

for a start, your vpn pool Tbc_Pool is on the same subnet as the ASA inside interface. firstly i suggest you use something not in use on your inside network for the pool.

whatever you use, you will have to route it back to the ASA for you to access internet resources.

what is the ASA inside interface connected to? is it a switch?

mswyldcat Tue, 07/22/2008 - 11:40

Inside interface is connected to a switch - it's a dell, gig managed switch. I CANNOT figure out how to get the subnet to talk on any other subnet. I can connect, but not see my network drives, ping anything, including my dns server.

francisco_1 Tue, 07/22/2008 - 11:41

is the dell switch a routing switch? can you add a static route for example?

start my changing the pool subnet to something else. it is not recommeded to use the vpn pool same as the inside interface.

once you change it, then we can try to route it and get the vpn connection to access internal resources.

ok i noticed something else. your pool mask is 255.255.255.255. try changing it to 255.255.255.0 and give it a go.

mswyldcat Tue, 07/22/2008 - 12:04

it is a routing switch, but let's pretend it's not. it's not "turned on" and if we try to access that it's going to get bad quick. there are many switches in our building & they all just act as switches, no management whatsoever.

I changed the pool mask & the split tunnel mask to both be 255.255.255.0. I can still connect, but no internet, no network connections.

a.alekseev Tue, 07/22/2008 - 12:01

add this line to your config

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

mswyldcat Tue, 07/22/2008 - 12:21

added it. still no communication. i connect to the vpn still, but no network.

a.alekseev Tue, 07/22/2008 - 12:24

show the output when vpn client is connected.

sh crypto ipsec sa

mswyldcat Tue, 07/22/2008 - 12:27

Sorry - here's part of my lack of formal training.

"show the output when vpn client is connected."

You mean the log from the client? or something from the ASA

sh crypto ipsec sa

- is this for the ASA or for the output?

a.alekseev Tue, 07/22/2008 - 13:04

add also

isakmp nat-traversal 20

and show the output from ASA when vpn client is connected

"sh crypto ipsec sa"

mswyldcat Tue, 07/22/2008 - 13:16

so over my head. i don't know WHERE to input that to get an output. if i'm supposed to do it from a command prompt, please advise on how to get to the asa? sorry - gotta get for tonight. be back around 6a central.

Correct Answer
a.alekseev Wed, 07/23/2008 - 05:40

add to your config

access-list NO-NAT permit ip any 192.168.1.0 255.255.255.0

nat (inside) 0 access-list NO-NAT

access-list Split-VPN standard permit 192.168.0.0 255.255.0.0

group-policy templevpn attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split-VPN

Actions

This Discussion