ASA 5520: Remote VPN Clients can't ping LAN, no Internet

Answered Question
Jun 23rd, 2010

I've configured a few of these in my time but I'm puzzled with this one.  I can establish connect via VPN tunnel however I can't seem to ping or get out on the internet.  I've searched the forum for similar issues and found a few but none of the fixes seem to fit.  One weird thing I noticed is when I run ipconfig /all from the vpn client, the IP address that was leased via the VPN Pool is also the default gateway!?!?!?!

I've attached the config.  Please help.

Thanks!

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 5 months ago

NAT exemption ACL has not been applied yet.

nat (Inside) 0 access-list Inside_nat0_outbound

Also, you don't have split tunnel, not sure whether you are using the ASA internet for internet browsing from the vpn client.

You might also want to enable icmp inspection if you test by pinging:

policy-map global_policy
class inspection_default

     inspect icmp

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Wed, 06/23/2010 - 00:23

NAT exemption ACL has not been applied yet.

nat (Inside) 0 access-list Inside_nat0_outbound

Also, you don't have split tunnel, not sure whether you are using the ASA internet for internet browsing from the vpn client.

You might also want to enable icmp inspection if you test by pinging:

policy-map global_policy
class inspection_default

     inspect icmp

Hope that helps.

deezturner1 Wed, 06/23/2010 - 00:31

Thanks for your reply, halijenn.  Is configuring SplitTunnel totally necessary for this to work?  If so what would be the recommended config changes?

I will make the suggested changes regarding NAT Exemption and ICMP.

Thanks so much for your help!!!

Jennifer Halim Wed, 06/23/2010 - 00:44

Split tunnel is depending on your company security policy, whether to allow vpn users to browse the internet directly from their own internet connection, or you need every traffic to be tunneled back to your ASA and route the internet traffic for the vpn user through your company internet connection.

If you are happy with direct internet connection for internet browsing for vpn user, then you can configure split tunnelling. If you need to route everything back towards the ASA, then you would need to configure the NATing for the ip pool for internet traffic.

deezturner1 Wed, 06/23/2010 - 01:10

So if I choose Split Tunneling would my config changes look like this

access-list acme_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0 (or would this be 192.168.200.0 which is the VPN IP Pool?)

group-policy acme attributes

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value acme_splitTunnelAcl

  default-domain value mydomain.com

By the way, I'm now able to get to all devices on my LAN so your suggestions worked great.  I'm still unable to get out to the internet but I take it our discussion on Split Tunneling and the final correct config changes will fix that.  Right?

Thanks!!!

Jennifer Halim Wed, 06/23/2010 - 01:13

Perfect, good to hear.

The split tunnel ACL would be your internal network subnet, not the ip pool subnet. And the split tunnel policy is correct, and the split tunnel ACL has been correctly defined.

deezturner1 Wed, 06/23/2010 - 01:18

Got it.  Thanks.  I'll think about which direction I want to go and configure accordingly.

You helped me A LOT!!!!!!!!!

Actions

This Discussion

Related Content