Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Internet via VPN tunnel

Hi i have a question.

I hope one of you can help me.

my problem is that i want to internet via the VPN tunnenl.

I have a VPN connection with my ASA 5505 at home.

I`m able to access all the inside devices. But i`m unable to access the internet.

is it possible to internet using the internet connection i have at home.

i`f played around with the following commands:

same-security-traffic permit intera-interface &

same-security-traffic permit intera-interface & split-tunnel-policy tunnelall

 

 

asa version: 9.1(2)

asdm version: 7.1(3)

 

Greetings

Palermo

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

from the client that is

from the client that is connected via VPN are you able to ping 4.2.2.2?

If yes, if you issue an nslookup google.com does the name resolve?

If not then I think the following highlighted command is the problem:

group-policy Home-VPNSSL attributes
wins-server none
dns-server none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

Try defining your DNS server here and then test.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
19 REPLIES

Hi Palermo, Yes you can but

Hi Palermo,

 

Yes you can but you have to do Hair-pinning your ASA....

Also NAT rule should be given for (Outside,Outside) to permit the traffic from Outside to go once again a Outside Path which is a U-Turn...

 

Eg: It should be something like this

 

object network OBJ_VPN_Pool

network 192.168.10.0 255.255.255.0

nat (outside,outside) dynamic interface

 

HTH

 

Regards

Karthik

New Member

Hi nkarthikeyanI`f been

Hi nkarthikeyan

I`f been looking into hair pinning as-well. But all the explanation and screenshots are from older versions of ASDM. I cannot find the hairpin feature.

object network OBJ_VPN_Pool

network 192.168.10.0 255.255.255.0

nat (outside,outside) dynamic interface
 

So i try to understand what you showing:

I need to make a opject of the "VPN ip DHCP range" in my case 192.168.1.100-110/24

and then i should enter the nat statment you gave me.

Is this correct?

 

Thanks in advanced

 

 

 

Hi Palermo, Yes. VPN Pool

Hi Palermo,

 

Yes. VPN Pool will be the source and NAT to be done for Outside to Outside as given along with the same-security-traffic permit intra-interface which you were mentioned in the original post.

 

So this will ensure the traffic come in and go out on the same interface.

 

It should work in the way we explained.

 

HTH

 

Regards

Karthik

VIP Green

You would also need to adjust

You would also need to adjust the No NAT statement to be from any to the VPN pool IPs.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi MariusGunnerudwhat you

Hi MariusGunnerud

what you telling me is may be the same thing as what nkarthikeyan is telling?

I`m quite new to the ASA series of cisco.

Mostly all thinks are done via ASDM. All the screenshots are form older version of ASDM.

Cisco has changed allot over the past few years.

 

Thanks in advanced

 

Greetings

Palermo

VIP Green

You need to configure

You need to configure hairpinning for the RA VPN and one part is done by using the command Karthik provided.  the other is to allow traffic to make a u-turn on an interface (enter and then leave the same interface) which you have already mentioned in your original post.  So here is my spin on the commands you need to use:

same-security-traffic permit intra-interface

object network RA_VPN
  range 192.168.1.100 192.168.1.110
  nat (outside,outside) dynamic interface

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi Marius

Hi Marius

Marius and nkarthikeyan

Thanks for helping me.. it gives me a good grasp of de cisco asa tech. (not so easy:-)

I configured like you say`d. Problem is that i need to configure all via ASDM. Not handy.

the config looks like this:

object network RA_VPN
 range 192.168.1.100 192.168.1.110
object network obj_any
 nat (inside,outside) dynamic interface
object network RA_VPN
 nat (outside,outside) dynamic interface

and of course

same-security-traffic permit intra-interface

 

I`m not able to internet via VPN tunnel.

am i missing something.

 

if added the complete config as an attachment.

 

 

ps...  It is not really need to have the VPN_Pool in the same subnet as the DHCP server for local interfaces. But if i change the subnet to a different range i`m not able to access devices from the local subnet.. I`m bona solve that later..

 

VIP Green

from the client that is

from the client that is connected via VPN are you able to ping 4.2.2.2?

If yes, if you issue an nslookup google.com does the name resolve?

If not then I think the following highlighted command is the problem:

group-policy Home-VPNSSL attributes
wins-server none
dns-server none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

Try defining your DNS server here and then test.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Whow.How cool is that. (or

Whow.

How cool is that. (or not)

it is exactly how you said it..

I`m able to ping to the 4.2.2.2 and 8.8.8.8

But i`m not able to resolve google.com from the client via VPN.

So i`n now looking into configuring the DNS from the local internet provider.

l`l let you know.

thanks

 

Hi Palermo,Yeah... The DNS

Hi Palermo,

Yeah... The DNS from the local service provider will give you the desired result.... Open DNS server mapping will have the latency and performance issues.....

 

HTH

 

Regards

Karthik

New Member

Hi,

Hi,

I`f configured the DNS. But still no cigar.

I`f configured the DNS on the following places: 

group-policy Home-VPNSSL attributes
 wins-server none
 dns-server value 213.51.129.37
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

and

ns domain-lookup inside
dns server-group DefaultDNS
 name-server 213.51.129.37
 name-server 213.51.144.37
 domain-name ziggo.nl
same-security-traffic permit intra-interface

How far can i be wrong.

i`f got the feeling that we are close.

Thanks in advanced

 

 

 

 

 

VIP Green

did you disconnect and then

did you disconnect and then reconnect the VPN client?  if not please disconnect and reconnect and then test.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Marius,the fact that i`m

Marius,

the fact that i`m posting this message via internet over the VPN session says enough. :-)

I guess that i was a bit impatient.

After disconnecting en reconnecting, internet works via VPN.

I`m gona clean up the configuration after a lot of testing and trying.

 

MariusGunnerud & nkarthikeyan & tbangia 

Without you. i think i never got it working. I leaned allot today.

Thanks for your help. I really appreciate it.

 

Greeting

Palermo

 

VIP Green

NICE!Glad you got it working,

NICE!

Glad you got it working, and thank you for the rating

 

--

Please remember to rate and select a correct answer
VIP Green

Nice, so DNS is the issue.Let

Nice, so DNS is the issue.

Let us know how it goes once you set the DNS for the VPN clients.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Hi,

Hi,

 

Can you try like the below?

object network RA_VPN  

no nat (outside,outside) dynamic interface

nat (outside,outside) source dynamic RA_VPN interface

!

group-policy Home-VPNSSL attributes

split-tunnel-policy tunnelall

!

HTH

 

Regards

Karthik

New Member

Hi Karthik,Done the config

Hi Karthik,

Done the config.

Still no internet on the client site witch is connected via VPN.

Funny how much is change in the GUI an CLI over the years.

Seems so easy when i look at manuals and google :-)

 

 

Hi, Have you set the DNS

Hi,

 

Have you set the DNS server on the group-policy for name resolution as marius suggested????.

 

HTH

 

Regards

Karthik

New Member

 Remote Office Local LAN   | 

 

Remote Office Local LAN
   | 
   | 
-----------------
|Cisco ASA|
-----------------   
   | OUTSIDE
   |
   |
   |                            
   |_____________|INTERNET |_________Remote Access VPN Client      
           

 


1. As per your topology and configuration, Remote access VPN client will get IP from the VPN pool i.e. 192.168.10.x, hence the traffic sourced from  client machine to internet will look as below:

2. Unencrypted Traffic:

Source - 192.168.10.x
Destination - Any (i.e. IP of any pulic Server)

3. Encrypted Traffic:

The traffic will be Patted on the client end and it would be encapsulated via ESP hence the packet would now be sourced with Public IP of Remote Access Client machine Site.

4. once the traffic will hit Cisco ASA it would be decrypted as now the packet would be same as that in point 2.

5. After the route look-up when the ASA will point the route for Internet webserver to outside than below NAT which is missing in your configuration will take the hit to PAT the VPN pool subnet so that the packet becomes routable on Internet.


object network OBJ_VPool_Inet_PAT

network 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

 

6. As you already have enabled hairpinning via same-security-traffic permit intera-interface hence the traffic would be sent out to the web server on the internet.

 

 

Please rate the post if you find it helpful!!

182
Views
25
Helpful
19
Replies
CreatePlease login to create content