03-28-2008 03:25 PM - edited 02-21-2020 03:38 PM
I'm in the process of migrating our Concentrator to our new ASA 5520s. The Concentrator was used purely for VPN Client connections and I've got the easy ones out of the way. However, I cannot, for whatever reason, get internet access through our corporate network when I have profiles with full tunneling.
I've included the config file, with lots of public IP information and site to site tunnels omitted. I've left all the pertinent stuff about the group-policies and tunnel-groups that concern VPN client connectivity. The address range I'm using for the VPN clients is 172.16.254.0/24. The group I'm trying to get internet access working with is "adsmgt" and the full tunnel part to our entire network is fine.
As always, any help is appreciated. Thank you!
Solved! Go to Solution.
03-29-2008 10:53 AM
Huseyin..good to see you back bud.., yes try those sugesstiong from Huseyin..if they checked to be ok we'll try different approach..
Im thinking too, because is full tunnel (no split ) Jim's ASA may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it.. but Jim first try Huseyin suggestions.
Rgds
Jorge
03-29-2008 12:34 PM
"Huseyin..good to see you back bud"
Thanks m8, good to see you too. Nice badge btw :). Having some trouble with AAA and CSACS, opened some questions but none has a response.
Any comments appreciated m8.
"may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it"
Well this is right on the spot!, I totally missed it. I assume you wont need the "tunneled" option.
03-28-2008 04:26 PM
Jim,
For your Cisco RA clients you need to nat vpn pool network for outbound internet( vpntestpool)
e.i
nat (outside) 1 172.16.254.0
same principle for 192.168.255.100.0 network IF this net is also RA allocated IP pool.(ippool)
nat (outside)1 192.168.255.100.0
Try that and let us know ..
HTH
Rgds
Jorge
03-29-2008 08:40 AM
I thought I had tried that earlier but tried it just now without any luck, here is the exact statement I used:
nat (outside) 1 172.16.254.0 255.255.255.0
Still can't access any public web sites.
03-29-2008 09:07 AM
Hi Jim
Can you please post the latest config after Jorge's modifications?
Also please verify the following
*In VPN client, right-click VPN lock symbol at right-bottom>Click statistics
*Click Router Details tab. Make sure "0.0.0.0" is listed in right-pane.
Also try adding a "tunneled" word at the end of your default static route in ASA.
Dont forget to issue "clear xlate" after amending NAT statements.
Regards
03-29-2008 10:53 AM
Huseyin..good to see you back bud.., yes try those sugesstiong from Huseyin..if they checked to be ok we'll try different approach..
Im thinking too, because is full tunnel (no split ) Jim's ASA may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it.. but Jim first try Huseyin suggestions.
Rgds
Jorge
03-29-2008 12:34 PM
"Huseyin..good to see you back bud"
Thanks m8, good to see you too. Nice badge btw :). Having some trouble with AAA and CSACS, opened some questions but none has a response.
Any comments appreciated m8.
"may need U-turn for that internet outbound traffic,a same-security-traffic permit intra-interface statement should be able to do it"
Well this is right on the spot!, I totally missed it. I assume you wont need the "tunneled" option.
03-29-2008 01:21 PM
Success!
same-security-traffic permit intra-interface
This is what did the trick.
Thank you two very much, these forums are great!
03-29-2008 02:18 PM
Jim, glad all is good, and thank you for rating both.
Huseyin, once I get back tonight I'll jump into that thread of yours and see if I can think of anything..
Rgds
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide