06-23-2010 12:17 AM
I've configured a few of these in my time but I'm puzzled with this one. I can establish connect via VPN tunnel however I can't seem to ping or get out on the internet. I've searched the forum for similar issues and found a few but none of the fixes seem to fit. One weird thing I noticed is when I run ipconfig /all from the vpn client, the IP address that was leased via the VPN Pool is also the default gateway!?!?!?!
I've attached the config. Please help.
Thanks!
Solved! Go to Solution.
06-23-2010 12:23 AM
NAT exemption ACL has not been applied yet.
nat (Inside) 0 access-list Inside_nat0_outbound
Also, you don't have split tunnel, not sure whether you are using the ASA internet for internet browsing from the vpn client.
You might also want to enable icmp inspection if you test by pinging:
policy-map global_policy
class inspection_default
inspect icmp
Hope that helps.
06-23-2010 12:23 AM
NAT exemption ACL has not been applied yet.
nat (Inside) 0 access-list Inside_nat0_outbound
Also, you don't have split tunnel, not sure whether you are using the ASA internet for internet browsing from the vpn client.
You might also want to enable icmp inspection if you test by pinging:
policy-map global_policy
class inspection_default
inspect icmp
Hope that helps.
06-23-2010 12:31 AM
Thanks for your reply, halijenn. Is configuring SplitTunnel totally necessary for this to work? If so what would be the recommended config changes?
I will make the suggested changes regarding NAT Exemption and ICMP.
Thanks so much for your help!!!
06-23-2010 12:44 AM
Split tunnel is depending on your company security policy, whether to allow vpn users to browse the internet directly from their own internet connection, or you need every traffic to be tunneled back to your ASA and route the internet traffic for the vpn user through your company internet connection.
If you are happy with direct internet connection for internet browsing for vpn user, then you can configure split tunnelling. If you need to route everything back towards the ASA, then you would need to configure the NATing for the ip pool for internet traffic.
06-23-2010 01:10 AM
So if I choose Split Tunneling would my config changes look like this
access-list acme_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0 (or would this be 192.168.200.0 which is the VPN IP Pool?)
group-policy acme attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acme_splitTunnelAcl
default-domain value mydomain.com
By the way, I'm now able to get to all devices on my LAN so your suggestions worked great. I'm still unable to get out to the internet but I take it our discussion on Split Tunneling and the final correct config changes will fix that. Right?
Thanks!!!
06-23-2010 01:13 AM
Perfect, good to hear.
The split tunnel ACL would be your internal network subnet, not the ip pool subnet. And the split tunnel policy is correct, and the split tunnel ACL has been correctly defined.
06-23-2010 01:18 AM
Got it. Thanks. I'll think about which direction I want to go and configure accordingly.
You helped me A LOT!!!!!!!!!
06-23-2010 01:22 AM
Cheers..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide