Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

No Internet Access for Full Tunnel

We have an ASA 5550, ver. 8.0(5) and using IPSEC clients to Remote Access into the Main Office.  The Remote Access is working great with Split Tunnel.  We can access network resources and get on the internet with Split Tunnel.  However, we can only access the network resources, but no internet access for full tunnel.  Do you have any suggestions?

Thanks.

Diane

7 ACCEPTED SOLUTIONS

Accepted Solutions

Re: No Internet Access for Full Tunnel

Diane,

You need to nat  your RA VPN pool network  using  your global interface nat ID 1.

For full tunnel  add two more statements


same-security-traffic permit intra-interface

nat (outside) 1  

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

Regards

New Member

Re: No Internet Access for Full Tunnel

Hi,

Can u plz tell me that why your techsupport group policy doesnt have dns configured?

Since u are using full tunnel that u wont be access your home internet once connected so you have to have dns configured under group policy to use company internet.

HTH

New Member

Re: No Internet Access for Full Tunnel

ok try adding the following(without removing dns)

sysopt connection permit-vpn

nat(outside) 1 (vpn pool)

then enable loggong on asa i.e. logging buffered debugging and loggin enable.

Then reconnect the client and try ping google.com or by google IP then tracert www.google.com and and paste the log output here.

by using show logging you should get any specific logs related to techsupport.

Cisco Employee

Re: No Internet Access for Full Tunnel

You have this in your config:

route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled

This is causing all traffic from the vpnclients to be routed to the internal gateway (which will probably send it back to the ASA, but then you're going to have asymmetric traffic etc. so this is never going to work).

Do you really need this? If not: remove it, otherwise replace it with something like

route Inside 172.16.0.0 255.240.0.0 172.16.3.102 tunneled

hth

Herbert

Re: No Internet Access for Full Tunnel

I think everyone's suggestion in the previous posts are correct. Did you try those suggestions all together?

1. You do need "nat (Outside) 1 192.168.10.0 255.255.255.0" if 192/168.10.0/24 is ip pool for vpn client.

2. You do need a valid DNS server address

3. You do need "same-security-traffic permit intra-interface"

4. You'd better remove "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled"

By the way, when you ping www.google.com, is IP resolved?

In your log, I did not see any client IP 192.168.10.x but 192.168.1.1.

New Member

Re: No Internet Access for Full Tunnel

Diane u dont have to remove nat (inside) commands and nat (outside) (vpn pool IP address) is required.

try to ping your dns server when connected and if it pings then try to browse google by IP : like http://IP of google.com.

try in command prompt ipconfig/flushdns

then try to browse/ping again..

Re: No Internet Access for Full Tunnel

Diane,

Glad you made it work.

Just FYI. After you do any change on NAT commands, you'd better do a "clear xlate".

21 REPLIES
Cisco Employee

Re: No Internet Access for Full Tunnel

Hi Diane,

Is that EZVPN? If the source is private IP, it will not access internet. It has to be somehow natted at the main office before get in internet.

HTH,

Lei Tian

New Member

Re: No Internet Access for Full Tunnel

Thanks for your prompt response, Lei.

It is not EZVPN.  I have natted statements:

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

access-list Inside_nat0_outbound extended permit ip any 10.100.24.0 255.255.248.0

Do you see anything wrong with the nat statements?  I am missing something.

Thanks.

Diane

Re: No Internet Access for Full Tunnel

Diane,

You need to nat  your RA VPN pool network  using  your global interface nat ID 1.

For full tunnel  add two more statements


same-security-traffic permit intra-interface

nat (outside) 1  

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

Regards

New Member

Re: No Internet Access for Full Tunnel

Hi Jorge,

Thanks very much for the info.  I still cannot access the internet after adding those two statements.  Do you have any other suggestions?

Thanks.

Diane

Re: No Internet Access for Full Tunnel

Can  you post  sanitized asa config .

New Member

Re: No Internet Access for Full Tunnel

Thanks Jorge for your prompt response.  Attached is the config file.  The SWS and Marketing groups can access the internal resources and internet.  However, the Techsupport group can only access the internal resources and no internet access.  The Techsupport group is setup as full tunnel.

Please let me know if you have any questions or need additional information.

Thanks very much for taking time to help me out.

Diane

New Member

Re: No Internet Access for Full Tunnel

Jorge,

Do you have any suggestions on how to debug why the full tunnel does not work?

Thanks.

Diane

New Member

Re: No Internet Access for Full Tunnel

Hi,

Can u plz tell me that why your techsupport group policy doesnt have dns configured?

Since u are using full tunnel that u wont be access your home internet once connected so you have to have dns configured under group policy to use company internet.

HTH

New Member

Re: No Internet Access for Full Tunnel

Thanks for taking time to respond.  I did not know that I need to put in the DNS for the group Techsupport.  Anyway, I put in the company DNS and still Techsupport cannot get to the internet.  Do you have any other suggestions?  Is there a way to debug why full tunnel can't get to the internet?

Thanks.

Diane

New Member

Re: No Internet Access for Full Tunnel

ok try adding the following(without removing dns)

sysopt connection permit-vpn

nat(outside) 1 (vpn pool)

then enable loggong on asa i.e. logging buffered debugging and loggin enable.

Then reconnect the client and try ping google.com or by google IP then tracert www.google.com and and paste the log output here.

by using show logging you should get any specific logs related to techsupport.

New Member

Re: No Internet Access for Full Tunnel

sorry I forgot one more command to configure which  is sysopt connection permit-vpn

New Member

Re: No Internet Access for Full Tunnel

Thanks for your prompt response.  What is the statement "sysopt connection permit-vpn"?  Do I remove it when I finish debugging?

Can you nat inside and outside?  I kept the DNS and added the NAT statement per your recommendation.  So, I have

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Outside) 1 192.168.10.0 255.255.255.0

Let me know if these are NOT correct.

Info:

My computer IP address 10.10.10.227

VPN pool 192.168.10.0 255.255.255.0

Subnet from the Management computer 172.16.163.0

Google IP address 66.102.7.147

I was not able to ping www.google.com or tracert to www.google.com. So, I did a tracert to Google's IP address 66.102.7.147.   Attached is the log file.

Thanks.

Diane

Cisco Employee

Re: No Internet Access for Full Tunnel

You have this in your config:

route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled

This is causing all traffic from the vpnclients to be routed to the internal gateway (which will probably send it back to the ASA, but then you're going to have asymmetric traffic etc. so this is never going to work).

Do you really need this? If not: remove it, otherwise replace it with something like

route Inside 172.16.0.0 255.240.0.0 172.16.3.102 tunneled

hth

Herbert

New Member

Re: No Internet Access for Full Tunnel

Thanks for your response, Herbert.  Can you explain to me what is asymmetrical traffic?  I am not sure if I needed that route statement "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled".  By remove that route statement, it makes no difference.  I still could not get on the internet.  Do you have any other suggestions?

Thanks.

Diane

Re: No Internet Access for Full Tunnel

I think everyone's suggestion in the previous posts are correct. Did you try those suggestions all together?

1. You do need "nat (Outside) 1 192.168.10.0 255.255.255.0" if 192/168.10.0/24 is ip pool for vpn client.

2. You do need a valid DNS server address

3. You do need "same-security-traffic permit intra-interface"

4. You'd better remove "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled"

By the way, when you ping www.google.com, is IP resolved?

In your log, I did not see any client IP 192.168.10.x but 192.168.1.1.

New Member

Re: No Internet Access for Full Tunnel

Thanks for your response, Kevin.  I have tried those suggestions all together.

1.  I added the NAT (Outside) 1 192.168.10.0 and still could not get on the internet.   I removed the NAT (Inside) statements and added the Nat (Outside) 1 192.168.10.0.  I could not get to the internal resources and internet.

2.  I have a valid DNS server address

3.  I have "same-security-traffic permit intra-interface" statement

4.  Remove "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled"

When I ping www.google.com, the IP address is not resolved.  So, I had to ping Google's IP address instead.

It was my error, the IP address should be 192.168.10.0, not 192.168.1.0

Can you think of anything else?  Thanks.

Diane

Re: No Internet Access for Full Tunnel

Can you ping IP address of www.google.com successfully?

If yes, your connectivity is good. It might be just DNS issue. When client is connected, use "nslookup" on client PC to see if it uses the correct DNS server and if DNS server can resolve the name to IP correctly.

New Member

Re: No Internet Access for Full Tunnel

Kevin,

I can now get on the internet.  I put both NAT statements as recommended again by Nomair_83

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Outside) 1 192.168.10.0 255.255.255.0

I don't know why these NAT statements did not work in the previous posts.

I would like to thank you and everyone for taking time to help me out.  You took time to read the posts and summarized what I should have in my config.  You guys are truly amazing. I will go back and rate each post.

Thanks.

Diane

Re: No Internet Access for Full Tunnel

Diane,

Glad you made it work.

Just FYI. After you do any change on NAT commands, you'd better do a "clear xlate".

New Member

Re: No Internet Access for Full Tunnel

Diane u dont have to remove nat (inside) commands and nat (outside) (vpn pool IP address) is required.

try to ping your dns server when connected and if it pings then try to browse google by IP : like http://IP of google.com.

try in command prompt ipconfig/flushdns

then try to browse/ping again..

New Member

Re: No Internet Access for Full Tunnel

Nomair_83

I can now get on the internet.  I readded the Nat (Outside) statement per your recommendation.  I don't know why these NAT statements did not work in the previous posts

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Outside) 1 192.168.10.0 255.255.255.0

I want to thank you and everyone for taking time to help me out.  Your input has been very valuable.  Each of your response has contributed to provide me with a solution.  I will go back and rate each post.

Thanks.

Diane

1337
Views
35
Helpful
21
Replies