We have an ASA 5550, ver. 8.0(5) and using IPSEC clients to Remote Access into the Main Office. The Remote Access is working great with Split Tunnel. We can access network resources and get on the internet with Split Tunnel. However, we can only access the network resources, but no internet access for full tunnel. Do you have any suggestions?
Glad you made it work.
Just FYI. After you do any change on NAT commands, you'd better do a "clear xlate".
Diane u dont have to remove nat (inside) commands and nat (outside) (vpn pool IP address) is required.
try to ping your dns server when connected and if it pings then try to browse google by IP : like http://IP of google.com.
try in command prompt ipconfig/flushdns
then try to browse/ping again..
I think everyone's suggestion in the previous posts are correct. Did you try those suggestions all together?
1. You do need "nat (Outside) 1 192.168.10.0 255.255.255.0" if 192/168.10.0/24 is ip pool for vpn client.
2. You do need a valid DNS server address
3. You do need "same-security-traffic permit intra-interface"
4. You'd better remove "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled"
By the way, when you ping www.google.com, is IP resolved?
In your log, I did not see any client IP 192.168.10.x but 192.168.1.1.
You have this in your config:
route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled
This is causing all traffic from the vpnclients to be routed to the internal gateway (which will probably send it back to the ASA, but then you're going to have asymmetric traffic etc. so this is never going to work).
Do you really need this? If not: remove it, otherwise replace it with something like
route Inside 172.16.0.0 255.240.0.0 172.16.3.102 tunneled
ok try adding the following(without removing dns)
sysopt connection permit-vpn
nat(outside) 1 (vpn pool)
then enable loggong on asa i.e. logging buffered debugging and loggin enable.
Then reconnect the client and try ping google.com or by google IP then tracert www.google.com and and paste the log output here.
by using show logging you should get any specific logs related to techsupport.
Can u plz tell me that why your techsupport group policy doesnt have dns configured?
Since u are using full tunnel that u wont be access your home internet once connected so you have to have dns configured under group policy to use company internet.
You need to nat your RA VPN pool network using your global interface nat ID 1.
For full tunnel add two more statements
same-security-traffic permit intra-interface
nat (outside) 1