Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Internal network and Internet access problem when VPN. Please assist. Tx

We are having problem accessing servers/machines- i.e. map and access files on the inside network when connected via vpn. The other problem with access to the Internet through the VPN tunnel- I know it has something to do with split-tunneling but I cannot figure out the problem. When I connect via SSL VPN I can shared files on the DMZ and inside with no problem at all. Please assist. I greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Internal network and Internet access problem when VPN. Pleas

Are you trying to get to the inside or the dmz or both?

Right now you are not doing any kind of split tunneling. You are tunneling everything, per this acl.

"access-list testvpn_splitTunnelAcl extended permit ip any any"

If you only wanted to tunnel to the inside 192.168.0.0/16 and the 10.0.0.0/8. Remove that acl and enter these 2 lines.

access-list testvpn_splitTunnelAcl standard 192.168.0.0 255.255.0.0

access-list testvpn_splitTunnelAcl standard 10.0.0.0 255.0.0.0

then you also need a nat 0

access-list Nat0 extended permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

access-list Nat0 extended permit ip 192.168.0.0 255.255.0.0 172.16.100.0 255.255.255.0

nat (Inside) 0 access-list Nat0.

If you are trying to tunnel internet traffic through the vpn then read this link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

8 REPLIES
New Member

Re: Internal network and Internet access problem when VPN. Pleas

You need make sure you are tunneling the networks that you need access to and that you have nonat setup for those as well.

Can you ping them? The config off the device would help to see how things are setup

NoNat http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530

Re: Internal network and Internet access problem when VPN. Pleas

Attached is the config with the public IP ommitted. Please let me know if you need anything else. Thanks. Your help is greatly appreciated.

Re: Internal network and Internet access problem when VPN. Pleas

I cannot ping server on the DMZ or machines on the inside. The only thing I can ping is my interfaces on the ASA.

Green

Re: Internal network and Internet access problem when VPN. Pleas

To get access to inside from vpn.

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip any 172.16.100.0 255.255.255.0

To get access to dmz from vpn.

nat (DMZ1) 0 access-list dmz_nat0_outbound

access-list dmz_nat0_outbound extended permit ip any 172.16.100.0 255.255.255.0

Green

Re: Internal network and Internet access problem when VPN. Pleas

For split tunneling...

change...

access-list testvpn_splitTunnelAcl extended permit ip any any

to...

access-list testvpn_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

access-list testvpn_splitTunnelAcl extended permit ip 192.168.0.0 255.255.0.0 172.16.100.0 255.255.255.0

access-list testvpn_splitTunnelAcl extended permit ip 172.16.1.0 255.255.255.0 172.16.100.0 255.255.255.0

Re: Internal network and Internet access problem when VPN. Pleas

It works. Thank you very much. I greatly appreciate your assistance.

New Member

Re: Internal network and Internet access problem when VPN. Pleas

Are you trying to get to the inside or the dmz or both?

Right now you are not doing any kind of split tunneling. You are tunneling everything, per this acl.

"access-list testvpn_splitTunnelAcl extended permit ip any any"

If you only wanted to tunnel to the inside 192.168.0.0/16 and the 10.0.0.0/8. Remove that acl and enter these 2 lines.

access-list testvpn_splitTunnelAcl standard 192.168.0.0 255.255.0.0

access-list testvpn_splitTunnelAcl standard 10.0.0.0 255.0.0.0

then you also need a nat 0

access-list Nat0 extended permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

access-list Nat0 extended permit ip 192.168.0.0 255.255.0.0 172.16.100.0 255.255.255.0

nat (Inside) 0 access-list Nat0.

If you are trying to tunnel internet traffic through the vpn then read this link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Re: Internal network and Internet access problem when VPN. Pleas

Tunneling internet traffic is working along with inside and dmz access. Thank you very much. I greatly appreciate your assistance.

174
Views
5
Helpful
8
Replies
CreatePlease to create content