cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5319
Views
0
Helpful
7
Replies

ASA 5520: Remote VPN Clients can't ping LAN, no Internet

deezturner1
Level 1
Level 1

I've configured a few of these in my time but I'm puzzled with this one.  I can establish connect via VPN tunnel however I can't seem to ping or get out on the internet.  I've searched the forum for similar issues and found a few but none of the fixes seem to fit.  One weird thing I noticed is when I run ipconfig /all from the vpn client, the IP address that was leased via the VPN Pool is also the default gateway!?!?!?!

I've attached the config.  Please help.

Thanks!

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

NAT exemption ACL has not been applied yet.

nat (Inside) 0 access-list Inside_nat0_outbound

Also, you don't have split tunnel, not sure whether you are using the ASA internet for internet browsing from the vpn client.

You might also want to enable icmp inspection if you test by pinging:

policy-map global_policy
class inspection_default

     inspect icmp

Hope that helps.

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

NAT exemption ACL has not been applied yet.

nat (Inside) 0 access-list Inside_nat0_outbound

Also, you don't have split tunnel, not sure whether you are using the ASA internet for internet browsing from the vpn client.

You might also want to enable icmp inspection if you test by pinging:

policy-map global_policy
class inspection_default

     inspect icmp

Hope that helps.

Thanks for your reply, halijenn.  Is configuring SplitTunnel totally necessary for this to work?  If so what would be the recommended config changes?

I will make the suggested changes regarding NAT Exemption and ICMP.

Thanks so much for your help!!!

Split tunnel is depending on your company security policy, whether to allow vpn users to browse the internet directly from their own internet connection, or you need every traffic to be tunneled back to your ASA and route the internet traffic for the vpn user through your company internet connection.

If you are happy with direct internet connection for internet browsing for vpn user, then you can configure split tunnelling. If you need to route everything back towards the ASA, then you would need to configure the NATing for the ip pool for internet traffic.

So if I choose Split Tunneling would my config changes look like this

access-list acme_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0 (or would this be 192.168.200.0 which is the VPN IP Pool?)

group-policy acme attributes

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value acme_splitTunnelAcl

  default-domain value mydomain.com

By the way, I'm now able to get to all devices on my LAN so your suggestions worked great.  I'm still unable to get out to the internet but I take it our discussion on Split Tunneling and the final correct config changes will fix that.  Right?

Thanks!!!

Perfect, good to hear.

The split tunnel ACL would be your internal network subnet, not the ip pool subnet. And the split tunnel policy is correct, and the split tunnel ACL has been correctly defined.

Got it.  Thanks.  I'll think about which direction I want to go and configure accordingly.

You helped me A LOT!!!!!!!!!

Cheers..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: