cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23977
Views
8
Helpful
17
Replies

No internet access while connected through Remote Access VPN...??

Hi Everyone,

Im new in ASA configuration so I really need some advise, my requirements are these:

  • Have remote VPN access to the whole Remote LAN segment 10.0.0.0 255.0.0.0 ( includes NEXUS,UCS, CUCM,DMS, Wireless ..etc)
  • Able to telnet/ssh remote devices and admin access to http/https enabled technologies.
  • Internet traffic send over my local ISP not remote LAN Internet
  • For the first instance, let all the INSIDE hosts (10.0.0.0) (connected with a L3 switch and so on) have internet access for demo purposes.

Basically, those are my needs (not too much to ask!!) I already made most of the config but it took me 2 days to figure out some things but now i have

the issue that cannot access http/https to UCS or CUCM (10.1.1.4) and while i am connected to VPN cant surf or seek for answers on the web using my

local Internet .

Im gonna post my ASA config and the directly connected L3 switch for you expert guys to help me fugure out my mistake.. ok!

Thanks in advance !!

1 Accepted Solution

Accepted Solutions

You need to create a no-nat between your internal network(s) and remote-vpn ip-pool and add that particular networks on the split-tunnel ACL.

object network obj-myinside-network

subnet x.x.x.x 255.255.255.0

nat (inside,outside) source static obj-myinside-network obj-myinside-network destination static VPN-POOL VPN-POOL

Hope that helps.

thanks

View solution in original post

17 Replies 17

mvsheik123
Level 7
Level 7

Hi,

You may need to add split-tunnel configuration for this. Check the below link.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

hth

MS

Thaks MS,

but i already configured a split-tunnel and it hasnt worked..take a look:

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

group-policy VPN-PRUEBA internal

group-policy VPN-PRUEBA attributes

dns-server value 4.2.2.2

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-PRUEBA_splitTunnelAcl

Am i right?

rizwanr74
Level 7
Level 7

Hi

Please change your ACL entry.

from this: "access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0"

To this: access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.10.0.0 255.0.0.0

Please change your route from "route INSIDE 0.0.0.0 255.0.0.0 10.10.0.1"

To this: route INSIDE 10.0.0.0 255.0.0.0 10.10.0.1

On your 3560 inside switch please add this route as well, the one below.

ip route 172.16.0.0 255.255.255.0 10.10.0.3

Hope that helps.

Please update me.

thanks

Rizwan Rafeek

Thanks Rizwan,

I already tried that and look what happened:

ASA5540(config)# access-list VPN-PRUEBA_splitTunnelAcl standard permi$

ERROR: IP address,mask <10.10.0.0,255.0.0.0> doesn't pair

route INSIDE 10.0.0.0 255.0.0.0 10.10.0.1

ERROR: Cannot add route, connected route exists

Any advise?

You were able to add the static-route on your 3560 and try it?

Yes i added the static route on switch but still facing internet problem access while connected to Remote Access VPN using VPN Client.

Do i need to run debugs to track the issue Rizwan?

You can tunnel everything including your remote-client web-browsing, so try this below.

object network VPN-POOL

nat (OUTSIDE,OUTSIDE) dynamic interface

Please let me know, if that helps.

thanks

Thanks Rizwan,

I have telnet access to devices but when i want to surf web pages it appears the Error page and problem with DNS.

One weird thing is that i dont loose connectivity in msn while VPN tunnel....huh?

Before i edited the LAN-INSIDE subnet to 10.0.0.0 /8 (before was /24) the split tunnel worked fine but wasnt able to have ip connectivity to vlan 15 and devices associated to it.

Do you have any solution or explanation for this issue? Sorry for being annoying 

Do you have an internal DNS? if you do change value of your dns server to internal one.

group-policy VPN-PRUEBA attributes

dns-server value 4.2.2.2

"One weird thing is that i dont loose connectivity in msn while VPN tunnel....huh?"  Coming off the cache dns record.

"Before i edited the LAN-INSIDE subnet to 10.0.0.0 /8 (before was /24) the split tunnel worked fine but wasnt able to have ip connectivity to vlan 15 and devices associated to it."

that issue due to missing no-nat between vpn-pool and your inside vlan15.

Please rate helpful post.

thanks

Rizwan Rafeek

I already added the internal DNS but still the same, however this Remote Access VPN is gonna be used by hosts connected to different locations so we need that everyone gets DNS from their local ISP or a general DNS that works for anyone.

Any clue?

When you have layer3 switch connected to your FW, all you need is mask /30 ip address to connect between your layer3 switch and your FW.  this maks /8 "10.10.0.3 255.0.0.0" will overlap with "16,777,216" ips.

Please issue this command one shown below and post me the output.

packet-tracer input OUTSIDE icmp 172.16.0.2 8 0 4.2.2.2

thanks

Rizwan here is the output:

ASA5540-FINANZAS(config)# packet-tracer input OUTSIDE icmp 172.16.0.2 8 0 4.2.$

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static any any destination static VPN-POOL VPN-POOL

Additional Information:

NAT divert to egress interface INSIDE

Untranslate 4.2.2.2/0 to 4.2.2.2/0

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ACL-IN global

access-list ACL-IN extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static any any destination static VPN-POOL VPN-POOL

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 593, packet dispatched to next module

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: INSIDE

output-status: up

output-line-status: up

Action: allow

----------------------------------------------------------------------------------

Also i changed ASA INSIDE address to 10.14.0.2 and switch 10.14.0.1 ...also edited the static routes pointing to new gw.....but now from ASA I dont have connectivity to Switch 10 and 15 vlans so either would be while RA VPN

A no-nat shown below will give you access to your inside networks, so in the object "obj-myinside-network" below you incorporate your inside network subnet.

nat (inside,outside) source static obj-myinside-network obj-myinside-network destination static VPN-POOL VPN-POOL

please post your most current config.

thanks

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

pppoe client vpdn group infinitum

ip address pppoe

!

interface GigabitEthernet0/1

nameif INSIDE

security-level 50

ip address 10.14.0.2 255.255.255.252

!

interface GigabitEthernet0/1.10

shutdown

vlan 10

nameif Vlan-Datos

security-level 0

no ip address

!

interface GigabitEthernet0/1.15

shutdown

vlan 15

nameif Vlan-MGMT

security-level 0

no ip address

!

interface GigabitEthernet0/2

shutdown

nameif DMZ

security-level 0

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif MGMT

security-level 0

ip address 10.15.0.5 255.255.255.0

management-only

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network LAN-OUT

subnet 0.0.0.0 0.0.0.0

object network VPN-POOL

subnet 172.16.0.0 255.255.255.0

object network Admon

subnet 10.1.1.0 255.255.255.0

access-list VPN-INSIDE extended permit ip any any

access-list VPN-INSIDE extended permit tcp 172.16.0.0 255.255.255.0 any log

access-list VPN-INSIDE extended permit ip 172.16.0.0 255.255.255.0 any log

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list INSIDE-OUT extended permit icmp any any echo-reply

access-list INSIDE-OUT extended permit icmp any any time-exceeded

access-list INSIDE-OUT extended permit icmp any any unreachable

access-list ACL-IN extended permit ip any any

access-list INSIDE extended permit ip any any log

access-list OUTSIDE extended permit ip any any

access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu Vlan-Datos 1500

mtu Vlan-MGMT 1500

mtu DMZ 1500

mtu MGMT 1500

ip local pool VPN_POOL 172.16.0.10-172.16.0.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any OUTSIDE

icmp permit any INSIDE

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (INSIDE,OUTSIDE) source static any any destination static VPN-POOL VPN-POOL

nat (INSIDE,OUTSIDE) source static Admon Admon destination static VPN-POOL VPN-POOL

!

object network LAN-OUT

nat (INSIDE,OUTSIDE) dynamic interface

object network VPN-POOL

nat (OUTSIDE,OUTSIDE) dynamic interface

access-group INSIDE out interface OUTSIDE

access-group ACL-IN global

route OUTSIDE 0.0.0.0 0.0.0.0 200.38.193.226 1

route INSIDE 0.0.0.0 255.0.0.0 10.14.0.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.0.0.0 255.0.0.0 INSIDE

http 172.16.0.0 255.255.255.0 OUTSIDE

no snmp-server location

no snmp-server contact

telnet 172.16.0.0 255.255.255.0 OUTSIDE

telnet 10.0.0.0 255.0.0.0 INSIDE

telnet timeout 5

ssh 172.16.0.0 255.255.255.0 OUTSIDE

ssh 10.0.0.0 255.0.0.0 INSIDE

ssh timeout 5

console timeout 0

management-access OUTSIDE

vpdn group infinitum request dialout pppoe

vpdn group infinitum localname t6188127487

vpdn group infinitum ppp authentication pap

vpdn username t6188127487 password *****

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy VPN-PRUEBA internal

group-policy VPN-PRUEBA attributes

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-PRUEBA_splitTunnelAcl

username admin password XE1B.OOAZ0MEXVQC encrypted privilege 15

username admin attributes

vpn-group-policy XPG-DGO

username msanchez password RZWBd0.CKVo5Kklv encrypted privilege 0

username msanchez attributes

vpn-group-policy VPN-PRUEBA

tunnel-group XPG-DGO type remote-access

tunnel-group VPN-PRUEBA type remote-access

tunnel-group VPN-PRUEBA general-attributes

address-pool VPN_POOL

default-group-policy VPN-PRUEBA

tunnel-group VPN-PRUEBA ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

----------------------------------------------------------

3560X------These are the only changes I`ve made :

interface GigabitEthernet0/1

no switchport

ip address 10.14.0.1 255.255.255.252

!        

ip default-gateway 10.14.0.2

ip classless

ip route 0.0.0.0 0.0.0.0 10.14.0.2

ip route 172.16.0.0 255.255.255.0 10.14.0.2

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: