Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520: Remote VPN Clients can't ping LAN, no Internet

I've configured a few of these in my time but I'm puzzled with this one.  I can establish connect via VPN tunnel however I can't seem to ping or get out on the internet.  I've searched the forum for similar issues and found a few but none of the fixes seem to fit.  One weird thing I noticed is when I run ipconfig /all from the vpn client, the IP address that was leased via the VPN Pool is also the default gateway!?!?!?!

I've attached the config.  Please help.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: ASA 5520: Remote VPN Clients can't ping LAN, no Internet

NAT exemption ACL has not been applied yet.

nat (Inside) 0 access-list Inside_nat0_outbound

Also, you don't have split tunnel, not sure whether you are using the ASA internet for internet browsing from the vpn client.

You might also want to enable icmp inspection if you test by pinging:

policy-map global_policy
class inspection_default

     inspect icmp

Hope that helps.

7 REPLIES
Super Bronze

Re: ASA 5520: Remote VPN Clients can't ping LAN, no Internet

NAT exemption ACL has not been applied yet.

nat (Inside) 0 access-list Inside_nat0_outbound

Also, you don't have split tunnel, not sure whether you are using the ASA internet for internet browsing from the vpn client.

You might also want to enable icmp inspection if you test by pinging:

policy-map global_policy
class inspection_default

     inspect icmp

Hope that helps.

New Member

Re: ASA 5520: Remote VPN Clients can't ping LAN, no Internet

Thanks for your reply, halijenn.  Is configuring SplitTunnel totally necessary for this to work?  If so what would be the recommended config changes?

I will make the suggested changes regarding NAT Exemption and ICMP.

Thanks so much for your help!!!

Super Bronze

Re: ASA 5520: Remote VPN Clients can't ping LAN, no Internet

Split tunnel is depending on your company security policy, whether to allow vpn users to browse the internet directly from their own internet connection, or you need every traffic to be tunneled back to your ASA and route the internet traffic for the vpn user through your company internet connection.

If you are happy with direct internet connection for internet browsing for vpn user, then you can configure split tunnelling. If you need to route everything back towards the ASA, then you would need to configure the NATing for the ip pool for internet traffic.

New Member

Re: ASA 5520: Remote VPN Clients can't ping LAN, no Internet

So if I choose Split Tunneling would my config changes look like this

access-list acme_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0 (or would this be 192.168.200.0 which is the VPN IP Pool?)

group-policy acme attributes

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value acme_splitTunnelAcl

  default-domain value mydomain.com

By the way, I'm now able to get to all devices on my LAN so your suggestions worked great.  I'm still unable to get out to the internet but I take it our discussion on Split Tunneling and the final correct config changes will fix that.  Right?

Thanks!!!

Super Bronze

Re: ASA 5520: Remote VPN Clients can't ping LAN, no Internet

Perfect, good to hear.

The split tunnel ACL would be your internal network subnet, not the ip pool subnet. And the split tunnel policy is correct, and the split tunnel ACL has been correctly defined.

New Member

Re: ASA 5520: Remote VPN Clients can't ping LAN, no Internet

Got it.  Thanks.  I'll think about which direction I want to go and configure accordingly.

You helped me A LOT!!!!!!!!!

Super Bronze

Re: ASA 5520: Remote VPN Clients can't ping LAN, no Internet

Cheers..

4346
Views
0
Helpful
7
Replies