cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1252
Views
0
Helpful
17
Replies

VPN works, no internet

mswyldcat
Level 1
Level 1

My total configuration works on everything right now. BUT through VPN I can't get internet access. I read one user who only had to put his vpn on a different subnet mask. I tried that, and I lost access to the network drives I connect to. I have got to be able to connect to a network machine & internet simultaneously for 2 programs. PLease help - I know nothing about networking - I have to figure things out for myself. If you can give me advise, please keep a little on the simple side. When I do "add" things to see if they work, I'm not sure that I do it right, so please advise.

Thanks,

Jana

1 Accepted Solution

Accepted Solutions

add to your config

access-list NO-NAT permit ip any 192.168.1.0 255.255.255.0

nat (inside) 0 access-list NO-NAT

access-list Split-VPN standard permit 192.168.0.0 255.255.0.0

group-policy templevpn attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split-VPN

View solution in original post

17 Replies 17

francisco_1
Level 7
Level 7

you have to enable split-tunneling on the ASA to allow internet traffic through the ASA

see this for more info and instructions

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

you apply the split-tunneling on your vpn group.

mswyldcat
Level 1
Level 1

Tried this in every way, shape & fashion I know - looks easy, but didn't fix anything. Yes, everything works the way the article says it should, but I cannot ping or see the router or anything else on my network then. I do get a split tunnel, but can't connect to anything.

ok.

for a start, your vpn pool Tbc_Pool is on the same subnet as the ASA inside interface. firstly i suggest you use something not in use on your inside network for the pool.

whatever you use, you will have to route it back to the ASA for you to access internet resources.

what is the ASA inside interface connected to? is it a switch?

Inside interface is connected to a switch - it's a dell, gig managed switch. I CANNOT figure out how to get the subnet to talk on any other subnet. I can connect, but not see my network drives, ping anything, including my dns server.

is the dell switch a routing switch? can you add a static route for example?

start my changing the pool subnet to something else. it is not recommeded to use the vpn pool same as the inside interface.

once you change it, then we can try to route it and get the vpn connection to access internal resources.

ok i noticed something else. your pool mask is 255.255.255.255. try changing it to 255.255.255.0 and give it a go.

it is a routing switch, but let's pretend it's not. it's not "turned on" and if we try to access that it's going to get bad quick. there are many switches in our building & they all just act as switches, no management whatsoever.

I changed the pool mask & the split tunnel mask to both be 255.255.255.0. I can still connect, but no internet, no network connections.

a.alekseev
Level 7
Level 7

add this line to your config

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

added it. still no communication. i connect to the vpn still, but no network.

show the output when vpn client is connected.

sh crypto ipsec sa

Sorry - here's part of my lack of formal training.

"show the output when vpn client is connected."

You mean the log from the client? or something from the ASA

sh crypto ipsec sa

- is this for the ASA or for the output?

yes, this command for ASA...

This is the client connection if that's what you wanted.

add also

isakmp nat-traversal 20

and show the output from ASA when vpn client is connected

"sh crypto ipsec sa"

so over my head. i don't know WHERE to input that to get an output. if i'm supposed to do it from a command prompt, please advise on how to get to the asa? sorry - gotta get for tonight. be back around 6a central.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: