No Internet Access for Full Tunnel

Answered Question
Feb 24th, 2010

We have an ASA 5550, ver. 8.0(5) and using IPSEC clients to Remote Access into the Main Office.  The Remote Access is working great with Split Tunnel.  We can access network resources and get on the internet with Split Tunnel.  However, we can only access the network resources, but no internet access for full tunnel.  Do you have any suggestions?

Thanks.

Diane

I have this problem too.
1 vote
Correct Answer by Yudong Wu about 6 years 9 months ago

Diane,

Glad you made it work.

Just FYI. After you do any change on NAT commands, you'd better do a "clear xlate".

Correct Answer by nomair_83 about 6 years 9 months ago

Diane u dont have to remove nat (inside) commands and nat (outside) (vpn pool IP address) is required.

try to ping your dns server when connected and if it pings then try to browse google by IP : like http://IP of google.com.

try in command prompt ipconfig/flushdns

then try to browse/ping again..

Correct Answer by Yudong Wu about 6 years 9 months ago

I think everyone's suggestion in the previous posts are correct. Did you try those suggestions all together?

1. You do need "nat (Outside) 1 192.168.10.0 255.255.255.0" if 192/168.10.0/24 is ip pool for vpn client.

2. You do need a valid DNS server address

3. You do need "same-security-traffic permit intra-interface"

4. You'd better remove "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled"

By the way, when you ping www.google.com, is IP resolved?

In your log, I did not see any client IP 192.168.10.x but 192.168.1.1.

Correct Answer by Herbert Baerten about 6 years 9 months ago

You have this in your config:

route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled

This is causing all traffic from the vpnclients to be routed to the internal gateway (which will probably send it back to the ASA, but then you're going to have asymmetric traffic etc. so this is never going to work).

Do you really need this? If not: remove it, otherwise replace it with something like

route Inside 172.16.0.0 255.240.0.0 172.16.3.102 tunneled

hth

Herbert

Correct Answer by nomair_83 about 6 years 9 months ago

ok try adding the following(without removing dns)

sysopt connection permit-vpn

nat(outside) 1 (vpn pool)

then enable loggong on asa i.e. logging buffered debugging and loggin enable.

Then reconnect the client and try ping google.com or by google IP then tracert www.google.com and and paste the log output here.

by using show logging you should get any specific logs related to techsupport.

Correct Answer by nomair_83 about 6 years 9 months ago

Hi,

Can u plz tell me that why your techsupport group policy doesnt have dns configured?

Since u are using full tunnel that u wont be access your home internet once connected so you have to have dns configured under group policy to use company internet.

HTH

Correct Answer by JORGE RODRIGUEZ about 6 years 9 months ago

Diane,

You need to nat  your RA VPN pool network  using  your global interface nat ID 1.

For full tunnel  add two more statements


same-security-traffic permit intra-interface

nat (outside) 1  

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (7 ratings)
Loading.
Lei Tian Wed, 02/24/2010 - 15:34

Hi Diane,

Is that EZVPN? If the source is private IP, it will not access internet. It has to be somehow natted at the main office before get in internet.

HTH,

Lei Tian

dianewalker Thu, 02/25/2010 - 20:45

Thanks for your prompt response, Lei.

It is not EZVPN.  I have natted statements:

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

access-list Inside_nat0_outbound extended permit ip any 10.100.24.0 255.255.248.0

Do you see anything wrong with the nat statements?  I am missing something.

Thanks.

Diane

dianewalker Wed, 03/03/2010 - 11:10

Hi Jorge,

Thanks very much for the info.  I still cannot access the internet after adding those two statements.  Do you have any other suggestions?

Thanks.

Diane

dianewalker Thu, 03/04/2010 - 15:32

Thanks Jorge for your prompt response.  Attached is the config file.  The SWS and Marketing groups can access the internal resources and internet.  However, the Techsupport group can only access the internal resources and no internet access.  The Techsupport group is setup as full tunnel.

Please let me know if you have any questions or need additional information.

Thanks very much for taking time to help me out.

Diane

Attachment: 
dianewalker Tue, 03/09/2010 - 08:32

Jorge,

Do you have any suggestions on how to debug why the full tunnel does not work?

Thanks.

Diane

Correct Answer
nomair_83 Tue, 03/09/2010 - 10:42

Hi,

Can u plz tell me that why your techsupport group policy doesnt have dns configured?

Since u are using full tunnel that u wont be access your home internet once connected so you have to have dns configured under group policy to use company internet.

HTH

dianewalker Tue, 03/09/2010 - 11:01

Thanks for taking time to respond.  I did not know that I need to put in the DNS for the group Techsupport.  Anyway, I put in the company DNS and still Techsupport cannot get to the internet.  Do you have any other suggestions?  Is there a way to debug why full tunnel can't get to the internet?

Thanks.

Diane

Correct Answer
nomair_83 Tue, 03/09/2010 - 11:24

ok try adding the following(without removing dns)

sysopt connection permit-vpn

nat(outside) 1 (vpn pool)

then enable loggong on asa i.e. logging buffered debugging and loggin enable.

Then reconnect the client and try ping google.com or by google IP then tracert www.google.com and and paste the log output here.

by using show logging you should get any specific logs related to techsupport.

nomair_83 Tue, 03/09/2010 - 11:26

sorry I forgot one more command to configure which  is sysopt connection permit-vpn

dianewalker Tue, 03/09/2010 - 13:31

Thanks for your prompt response.  What is the statement "sysopt connection permit-vpn"?  Do I remove it when I finish debugging?

Can you nat inside and outside?  I kept the DNS and added the NAT statement per your recommendation.  So, I have

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Outside) 1 192.168.10.0 255.255.255.0

Let me know if these are NOT correct.

Info:

My computer IP address 10.10.10.227

VPN pool 192.168.10.0 255.255.255.0

Subnet from the Management computer 172.16.163.0

Google IP address 66.102.7.147

I was not able to ping www.google.com or tracert to www.google.com. So, I did a tracert to Google's IP address 66.102.7.147.   Attached is the log file.

Thanks.

Diane

Attachment: 
Correct Answer
Herbert Baerten Tue, 03/09/2010 - 14:19

You have this in your config:

route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled

This is causing all traffic from the vpnclients to be routed to the internal gateway (which will probably send it back to the ASA, but then you're going to have asymmetric traffic etc. so this is never going to work).

Do you really need this? If not: remove it, otherwise replace it with something like

route Inside 172.16.0.0 255.240.0.0 172.16.3.102 tunneled

hth

Herbert

dianewalker Tue, 03/09/2010 - 14:43

Thanks for your response, Herbert.  Can you explain to me what is asymmetrical traffic?  I am not sure if I needed that route statement "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled".  By remove that route statement, it makes no difference.  I still could not get on the internet.  Do you have any other suggestions?

Thanks.

Diane

Correct Answer
Yudong Wu Tue, 03/09/2010 - 23:23

I think everyone's suggestion in the previous posts are correct. Did you try those suggestions all together?

1. You do need "nat (Outside) 1 192.168.10.0 255.255.255.0" if 192/168.10.0/24 is ip pool for vpn client.

2. You do need a valid DNS server address

3. You do need "same-security-traffic permit intra-interface"

4. You'd better remove "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled"

By the way, when you ping www.google.com, is IP resolved?

In your log, I did not see any client IP 192.168.10.x but 192.168.1.1.

dianewalker Wed, 03/10/2010 - 09:20

Thanks for your response, Kevin.  I have tried those suggestions all together.

1.  I added the NAT (Outside) 1 192.168.10.0 and still could not get on the internet.   I removed the NAT (Inside) statements and added the Nat (Outside) 1 192.168.10.0.  I could not get to the internal resources and internet.

2.  I have a valid DNS server address

3.  I have "same-security-traffic permit intra-interface" statement

4.  Remove "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled"

When I ping www.google.com, the IP address is not resolved.  So, I had to ping Google's IP address instead.

It was my error, the IP address should be 192.168.10.0, not 192.168.1.0

Can you think of anything else?  Thanks.

Diane

Yudong Wu Wed, 03/10/2010 - 09:55

Can you ping IP address of www.google.com successfully?

If yes, your connectivity is good. It might be just DNS issue. When client is connected, use "nslookup" on client PC to see if it uses the correct DNS server and if DNS server can resolve the name to IP correctly.

Correct Answer
nomair_83 Wed, 03/10/2010 - 11:07

Diane u dont have to remove nat (inside) commands and nat (outside) (vpn pool IP address) is required.

try to ping your dns server when connected and if it pings then try to browse google by IP : like http://IP of google.com.

try in command prompt ipconfig/flushdns

then try to browse/ping again..

dianewalker Wed, 03/10/2010 - 11:49

Nomair_83

I can now get on the internet.  I readded the Nat (Outside) statement per your recommendation.  I don't know why these NAT statements did not work in the previous posts

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Outside) 1 192.168.10.0 255.255.255.0

I want to thank you and everyone for taking time to help me out.  Your input has been very valuable.  Each of your response has contributed to provide me with a solution.  I will go back and rate each post.

Thanks.

Diane

dianewalker Wed, 03/10/2010 - 11:06

Kevin,

I can now get on the internet.  I put both NAT statements as recommended again by Nomair_83

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Outside) 1 192.168.10.0 255.255.255.0

I don't know why these NAT statements did not work in the previous posts.

I would like to thank you and everyone for taking time to help me out.  You took time to read the posts and summarized what I should have in my config.  You guys are truly amazing. I will go back and rate each post.

Thanks.

Diane

Correct Answer
Yudong Wu Wed, 03/10/2010 - 12:09

Diane,

Glad you made it work.

Just FYI. After you do any change on NAT commands, you'd better do a "clear xlate".

Actions

This Discussion