Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
855
Views
0
Helpful
4
Replies

no internet access on vpn clients

Go to solution
andresitotubia
Level 1
Level 1

‎09-01-2010 07:53 AM - edited ‎03-11-2019 11:33 AM

Hi,

I setup an Asa 5510 for VPN client connections with local ip pool and IAS authentication. All is working fine for internal network (i can ping everywhere) but im not able to get internet access when im connected with the VPN. I was looking for nat (outside) examples but nothing.

Can someone help me with that.

Here is part of my config:

interface Ethernet0/0

description TO INTERNET

nameif outside

security-level 0

ip address xxx.xx.xx.xxx 255.255.255.0

interface Ethernet0/1

description LAN

nameif inside

security-level 100

ip address 172.xxx.xxx.xxx 255.255.128.0

access-list vpna extended permit ip any 192.168.125.0 255.255.255.0
ip local pool ippool 192.168.125.10-192.168.125.254
global (outside) 1 interface
global (outside) 2 200.xxx.xxx.xxx
nat (inside) 0 access-list vpnassa
route outside 192.168.125.0 255.255.255.0 200.xxx.xxx.xxx 1

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-01-2010 08:01 AM

Hi,

If you're looking for the ASA to provide Internet access for the VPN clients, you need some things:

same-security-traffic permit intra-interface --> this will allow the ASA to reroute traffic backout the outside interface

nat (outside) 1 x.x.x.x mask  --> x.x.x.x is the VPN subnet

global (outside) 1 interface

Federico.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-01-2010 08:01 AM

Hi,

If you're looking for the ASA to provide Internet access for the VPN clients, you need some things:

same-security-traffic permit intra-interface --> this will allow the ASA to reroute traffic backout the outside interface

nat (outside) 1 x.x.x.x mask  --> x.x.x.x is the VPN subnet

global (outside) 1 interface

Federico.

0 Helpful

Go to solution
andresitotubia
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-01-2010 08:13 AM

Thanks Federico !!!. Yesterday i added the line same-security-traffic permit intra-interface  but didnt work. Or maybe i forgot the nat (outside).

It worked perfect now !!.

Thank you so much for you help !

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee

‎09-01-2010 08:04 AM

Hi,

Basically you will need to add the below 2 commands on the ASA:

same-security-traffic permit intra-interface

nat (outside) 1 192.168.125.0 255.255.255.0 outside

Below is a link you might want to refer to for U-turning config on the ASA for giving VPN client internet access through the ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

If you would like to provide the clients VPn access using their local gateway and not through the ASA, below is the config example:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

Let me know if this helps. All the best!!

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to praprama

‎09-01-2010 08:18 AM

I'm very glad that it works for you now :-)

And thanks for the rating too.

Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card