Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
10
Helpful
7
Replies

HOW TO ACCESS INTERNET FROM LAN-to-LAN VPN

CSCO10685980
Level 1
Level 1

‎11-02-2005 12:58 AM - edited ‎02-21-2020 02:04 PM

I have vpn LAN to LAN and vpns are working correctly. I have access from LAN to LAN. But I cant access Internet from vpn peers.

I added

nat (outside) 1 access-list VPN-NAT

access-list VPN-NAT extended permit ip 10.0.0.0 255.0.0.0 any

and I can go to internet - OK

but after so I dont have access between LAN-LAN, because

I nat all traffic.

I cant add:

access-list VPN-NAT extended deny ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

Because DENY is not permitted in NAT

Anyone know how to solve this tricky problem?

THX

Laptom

Labels:
Preview file
6 KB
0 Helpful
7 Replies 7

sachinraja
Level 9
Level 9

‎11-02-2005 02:36 AM

hello,

You need to do the following:

1) restrict the VPN-NAT ACL (for IPSEC) to particular source and destination subnets. do not use any here. eg

access-list VPN-NAT extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0

where 172.16.0.0 is the destination subnet on IPSEC.

do a nonat for this:

nat (outside) 0 access-list VPN-NAT

2) apply all other traffic to internet....

access-list INT extended permit ip 10.0.0.0 255.0.0.0 any

nat (outside) 1 access-list INT

By doing this, any traffic for 172.16.x.x will go through the IPSEC and any other traffic to internet will be natted and passed to the internet cloud.

Hope this helps.. rate replies if found useful...

Raj

CSCO10685980
Level 1
Level 1
In response to sachinraja

‎11-02-2005 04:00 AM

THX a lot, Your solution was OK.

Laptom

0 Helpful

CSCO10685980
Level 1
Level 1
In response to CSCO10685980

‎11-02-2005 04:35 AM

I have one problem. I have access from vpn to the internet, everything is OK expept:

I still cant ping from vpns to the internet.

Laptom

0 Helpful

sachinraja
Level 9
Level 9
In response to CSCO10685980

‎11-02-2005 08:33 PM

Laptom,

Are you blocking ICMP by any chance ? you need to give access on the firewall for echo & echo reply on the outside interface.

what are u trying to ping on the internet? the router or some other component?? rate replies if found useful...

Raj

0 Helpful

CSCO10685980
Level 1
Level 1
In response to sachinraja

‎11-03-2005 02:11 AM

I have:

access-list FROM-OUT extended permit icmp any any

access-group FROM-OUT in interface outside

So there is no option to block icmp.

I can ping internet from inside.

I ping for expample: ping 66.249.85.104 (www.google.com) and from Vpn there is no answer. All traffic from vpn is OK.

THX

Laptom

0 Helpful

CSCO10685980
Level 1
Level 1
In response to CSCO10685980

‎11-06-2005 04:54 AM

Sorry, I also can't ping internet from inside.

Laptom

0 Helpful

CSCO10685980
Level 1
Level 1

‎11-19-2005 03:28 AM

I added:inspect icmp and ping is working corecly, which treats ICMP connections as stateful connections.

policy-map global_policy

class inspection_default

inspect icmp

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents