Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN/ASA clients can't get to the Internet.

VPN clients can get to all internal servers/DMZ but not the Internet. This is the partial config of the ASA. TIA

VPN Pool 10.17.70.0

DMZ 192.168.100.0

Internal 172.0.0.0

-------------------------------------

access-list nonatdmz extended permit ip any 192.168.100.0 255.255.255.0

access-list nonatdmz extended permit ip 172.0.0.0 255.0.0.0 10.17.70.0 255.255.255.0

access-list splittunnel standard permit 172.0.0.0 255.0.0.0

global (Outside) 10 interface

global (Businesspartner) 10 interface

nat (Inside) 0 access-list nonatdmz

nat (Inside) 10 0.0.0.0 0.0.0.0

nat (DMZ) 10 0.0.0.0 0.0.0.0

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN/ASA clients can't get to the Internet.

Vinnie, glad you are getting there.

to telnet to asa through vpn session you need to add this statement.

management-access inside

In this same link see split tunnel vs Allow local lan only access, you can learn the diferences and you will understand better your asa configuration pertaining to ra vpn.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

8 REPLIES

Re: VPN/ASA clients can't get to the Internet.

you need to nat vpn pool network for outbound internet.

e.i

nat (outside) 10 10.17.70.0

Re: VPN/ASA clients can't get to the Internet.

Vinnie, just following up, have your problem been resolve by adding the nat statement for vpn network internet access..please let us know if problem still exist .

Rgds

Jorge

New Member

Re: VPN/ASA clients can't get to the Internet.

After including the following line:

nat (Outside) 10 10.17.70.0

the problem still exists. When I tried ipconfig at the command prompt,the default gateway ip shows up as 10.17.70.1 which is non-existent.

-Vinnie

New Member

Re: VPN/ASA clients can't get to the Internet.

When the client connects via remote access VPN, its gateway will be its own IP that is assigned by the VPN gateway.

Bcz remote access VPN is point to point connection between client and server so there is no need to have gateway, client send all traffic to vpn gateway.

you need to make nat(inside) and global outside for the remote access client IP.

I am assuming that client are clients are coming from inside of firewall, if they are attached with the dmz side, make the nat(dmz).

New Member

Re: VPN/ASA clients can't get to the Internet.

It does not appear that our split tunnel is applied.

New Member

Re: VPN/ASA clients can't get to the Internet.

Also you need a NAT outside for the VPN Clients since that ASA sees them as outside entities. Use ASDM and look at the logging it is a very useful tool to clear up this problem.

New Member

Re: VPN/ASA clients can't get to the Internet.

Great news, we can browse the Internet after Splitunnel was implemented. What is Splitunnel anyway? We also have a new issue came up after Splitunnel was configured we're no longer be able to Telnet to the ASA

Current telnet configurations are as below.

telnet 10.17.70.0 255.255.255.0 Outside

telnet 172.17.0.0 255.255.0.0 Inside

Thanks for your great help.

Vinnie

Re: VPN/ASA clients can't get to the Internet.

Vinnie, glad you are getting there.

to telnet to asa through vpn session you need to add this statement.

management-access inside

In this same link see split tunnel vs Allow local lan only access, you can learn the diferences and you will understand better your asa configuration pertaining to ra vpn.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

567
Views
0
Helpful
8
Replies
CreatePlease to create content