I can not access to internet when VPN client is active (ASA 5510)

Unanswered Question
Mar 31st, 2009
User Badges:

I have already set VPNs in ASA 5510, VPNs clients can access to local network without problem, my issue is that any users can not acces to internet when they are connected to local network via VPN client.


what could it be the problem??

I show the current configuration in ASA.


ip local pool IPPOOL x.x.x.x - x.x.x.x.x


access-list nat1 extended permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0


nat (inside) 0 access-list nat1



crypto ipsec transform-set MYSET esp-des esp-md5-hmac

crypto dynamic-map DYNMAP 30 set transform-set MYSET


crypto map MYMAP 20 ipsec-isakmp dynamic DYNMAP

crypto map MYMAP interface outside


crypto isakmp enable outside


crypto isakmp policy 10

authentication pre-share


encryption des

hash md5

group 2

lifetime 86400


group-policy REMOTO internal

group-policy REMOTO attributes


username cisco password cisco


tunnel-group REMOTO type remote-access

tunnel-group REMOTO general-attributes

address-pool IPPOOL

tunnel-group REMOTO ipsec-attributes

pre-shared-key xxxxxx


thanks in advance,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Tue, 03/31/2009 - 14:25
User Badges:
  • Green, 3000 points or more

my issue is that any users can not acces to internet when they are connected to local network via VPN client


Filberto, if I understand correctly, your ra vpn is created, RA vpn pool have access to local LAN, but RA vpn users once connected cannot access internet..if this is your issue you can resolve it by having your vpn RA pool nework as full tunnel and pat them through your global outside interface for internet access... please correct me if I have missed understood to assist you better.


you may use VPN Client for Public Internet VPN on a Stick Configuration.

This will allow RA VPN full tunnel internet access through your ASA firewall as suppose to split tunnel.



typical config scenario for RA VPN full tunnel internet access


same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 255.255.255.0



http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml


regards

filiberto.aguirre Wed, 04/01/2009 - 09:41
User Badges:

Hi Jorge,


I really appreciate your help, you understood my issue very well.


The problem still remain even though I added the commands you recommend.


I show you the complete config so that you can verify if something is wrong or left.


Thanks again for your help


ASA# sh run

: Saved

:

ASA Version 8.0(3)

!

hostname ASA

enable password 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 201. X . X . X 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172 . X . X . X 255.255.255.0

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server x.x.x.x

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service V-Harvest tcp-udp

description Lector de Huellas

port-object eq 10001

access-list outside extended permit icmp any any

access-list outside extended permit tcp any host x.x.x.x eq www

access-list outside extended permit tcp any host x.x.x.x eq ftp

access-list outside extended permit tcp any any eq pop3

access-list outside extended permit tcp any any eq 135 inactive

access-list outside extended permit tcp any any eq 26

access-list outside extended permit tcp any any eq 25000

access-list outside remark Lector de Huellas

access-list outside extended permit tcp any any object-group V-Harvest

access-list outside extended permit tcp any any eq smtp

access-list vpn1 extended permit ip 172.16.0.0255.255.255.0 172.16.1.0 255.255.255.0

access-list NAT0 extended permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list NAT0 extended permit ip 172.16.0.0 255.255.255.0 192.168.100.0 255.255.255.0

ip local pool IPPOOL 192.168.100.10-192.168.100.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

global (outside) 1 interface

nat (inside) 0 access-list NAT0

nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) tcp x.x.x.x www x.x.x.x www netmask 255.255.255.255

access-group outside in interface outside


route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

dynamic-access-policy-record DfltAccessPolicy


snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MYSET esp-des esp-md5-hmac

crypto ipsec transform-set CLIENT esp-3des esp-md5-hmac

crypto dynamic-map DYNMAP 20 set transform-set MYSET CLIENT

crypto map MYMAP 10 match address vpn1

crypto map MYMAP 10 set peer x.x.x.x

crypto map MYMAP 10 set transform-set MYSET

crypto map MYMAP 20 ipsec-isakmp dynamic DYNMAP

crypto map MYMAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

threat-detection basic-threat

threat-detection statistics

group-policy COMPANY internal

group-policy COMPANY attributes

split-tunnel-policy tunnelall

username cisco password Cisco encrypted privilege 15

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *********

tunnel-group COMPANY type remote-access

tunnel-group COMPANY general-attributes

address-pool IPPOOL

default-group-policy COMPANY


tunnel-group COMPANY ipsec-attributes

pre-shared-key **********

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global


JORGE RODRIGUEZ Wed, 04/01/2009 - 13:02
User Badges:
  • Green, 3000 points or more

Hi Filberto, apologies for late reply.. did you add this statment bellow to your config.. seems you did not based on output of the config, could you ensure it is added.


nat (outside) 1 192.168.100.0 255.255.255.0



also in your tunnel group COMANY policy you may need to define DNS entries for your RA VPN network to quary dns, ensure tunnel policy is full tunnel


tunnel-group COMPANY general-attributes

dns-server value

split-tunnel-policy tunnelall


if still no joy load asdm real time log to see when RA vpn user tries accessing internet to see what is blocking it, post that log.



regards


Actions

This Discussion