07-22-2008 09:54 AM - edited 02-21-2020 03:50 PM
My total configuration works on everything right now. BUT through VPN I can't get internet access. I read one user who only had to put his vpn on a different subnet mask. I tried that, and I lost access to the network drives I connect to. I have got to be able to connect to a network machine & internet simultaneously for 2 programs. PLease help - I know nothing about networking - I have to figure things out for myself. If you can give me advise, please keep a little on the simple side. When I do "add" things to see if they work, I'm not sure that I do it right, so please advise.
Thanks,
Jana
Solved! Go to Solution.
07-23-2008 05:40 AM
add to your config
access-list NO-NAT permit ip any 192.168.1.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
access-list Split-VPN standard permit 192.168.0.0 255.255.0.0
group-policy templevpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-VPN
07-22-2008 11:04 AM
you have to enable split-tunneling on the ASA to allow internet traffic through the ASA
see this for more info and instructions
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
you apply the split-tunneling on your vpn group.
07-22-2008 11:22 AM
Tried this in every way, shape & fashion I know - looks easy, but didn't fix anything. Yes, everything works the way the article says it should, but I cannot ping or see the router or anything else on my network then. I do get a split tunnel, but can't connect to anything.
07-22-2008 11:31 AM
ok.
for a start, your vpn pool Tbc_Pool is on the same subnet as the ASA inside interface. firstly i suggest you use something not in use on your inside network for the pool.
whatever you use, you will have to route it back to the ASA for you to access internet resources.
what is the ASA inside interface connected to? is it a switch?
07-22-2008 11:40 AM
Inside interface is connected to a switch - it's a dell, gig managed switch. I CANNOT figure out how to get the subnet to talk on any other subnet. I can connect, but not see my network drives, ping anything, including my dns server.
07-22-2008 11:41 AM
is the dell switch a routing switch? can you add a static route for example?
start my changing the pool subnet to something else. it is not recommeded to use the vpn pool same as the inside interface.
once you change it, then we can try to route it and get the vpn connection to access internal resources.
ok i noticed something else. your pool mask is 255.255.255.255. try changing it to 255.255.255.0 and give it a go.
07-22-2008 12:04 PM
it is a routing switch, but let's pretend it's not. it's not "turned on" and if we try to access that it's going to get bad quick. there are many switches in our building & they all just act as switches, no management whatsoever.
I changed the pool mask & the split tunnel mask to both be 255.255.255.0. I can still connect, but no internet, no network connections.
07-22-2008 12:01 PM
add this line to your config
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
07-22-2008 12:21 PM
added it. still no communication. i connect to the vpn still, but no network.
07-22-2008 12:24 PM
show the output when vpn client is connected.
sh crypto ipsec sa
07-22-2008 12:27 PM
Sorry - here's part of my lack of formal training.
"show the output when vpn client is connected."
You mean the log from the client? or something from the ASA
sh crypto ipsec sa
- is this for the ASA or for the output?
07-22-2008 12:45 PM
yes, this command for ASA...
07-22-2008 12:46 PM
This is the client connection if that's what you wanted.
07-22-2008 01:04 PM
add also
isakmp nat-traversal 20
and show the output from ASA when vpn client is connected
"sh crypto ipsec sa"
07-22-2008 01:16 PM
so over my head. i don't know WHERE to input that to get an output. if i'm supposed to do it from a command prompt, please advise on how to get to the asa? sorry - gotta get for tonight. be back around 6a central.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide