Solved: Re: Unable to access internet from local subnets however everything else working

kridge · ‎05-24-2021

I recently setup a VPN to a remote site and that remote site has multiple subnets. The VPN is up and running and subnets can access main site and its resources fine through VPN except internet. Meaning I am unable to access the internet from any of the subnets using a browser. If I start typing in a browser search bar, browser will even return possible results (see attached image browser.jpg) but if I click on any of the results, I get page cannot be displayed. If I run packet-tracer using IP of a wireless laptop to yahoo.com's IP, the result shows dropped by implicit rule (see attached image and also .txt). I've also included ASA5505 config. Please advise.

Rob Ingram · ‎05-25-2021

@kridge

Try:-

object network 10.10.1.0
nat (inside,outside) dynamic interface
object network 10.20.1.0
nat (inside,outside) dynamic interface

If that doesn't work run packet-tracer from the CLI and provide the output, e.g (amend for each subnet)

packet-tracer input inside tcp 10.10.1.5 3000 8.8.8.8 80

View solution in original post

Rob Ingram · ‎05-25-2021

@kridge

You've got an inbound ACL on the inside interface, which is only permitting traffic to/from your DC, you'll also need to permit to "any" if you want to access the internet.

You also do not have an Dynamic PAT rule to translate your internal networks so they can access the network. Bear in mind once you enable this, you'll also need a NAT exemption rule to ensure traffic over the VPN is not unintentially translated.

kridge · ‎05-25-2021

Hi Rob,

Thanks for response and pointing me in the right direction. I'm now able to access the internet from from the 10.0.5.x subnet but not the others (10.10.x.x, 10.20.x.x, 10.30.x.x, etc.). I've attached my updated config.

Rob Ingram · ‎05-25-2021

@kridge

Try:-

object network 10.10.1.0
nat (inside,outside) dynamic interface
object network 10.20.1.0
nat (inside,outside) dynamic interface

If that doesn't work run packet-tracer from the CLI and provide the output, e.g (amend for each subnet)

packet-tracer input inside tcp 10.10.1.5 3000 8.8.8.8 80

kridge · ‎05-25-2021

10.10.1.0 and 10.20.1.0 are subnets on data center side and I was not sure if you wanted me to run the NAT statements for these subnets on the remote ASA5505 or change them to 10.10.5.0 and 10.20.5.0 so I ran both and posted results separately in attached documents. When I ran NAT statements with the 10.x.5.x subnets the packet-tracer result action was "allow" but I was still unable to access the internet (from those subnets). I am also attaching the current config because of changes I made before your last reply.

Rob Ingram · ‎05-26-2021

@kridge Ok, no my mistake, I mistyped those networks. If the packet-tracer result is "allow" for the correct networks, then are the devices on those networks configured with DNS servers that can resolve the websites?

From the CLI of a computer on one of the remote networks, ping 8.8.8.8 - what is the result? Then ping www.google.com. If you get a response from 8.8.8.8 and not from pinging the fqdn, it could be a DNS issue.

If you still have an issue, take a packet capture from the ASA and/or computer and provide the pcap ,that'll help identify the issue.

kridge · ‎06-04-2021

Hi Rob! Sorry for the delayed response - I went away for Memorial weekend and am just now getting back to this. It must have been a DNS issue because your suggested config additions posted on the 25th resolved the issue with accessing the internet from those subnets.

Although, my site is functioning and I could leave it as is, i do have one other question for you if you have any suggestions, otherwise I can create another post in the future if I need to address. One of those subnets (10.30.5.x) supports the site's wireless and those wireless laptops are unable to access the internet (its not critical because they can access their Remote Desktop sessions), however I was still curious if this could be overcome as well. They receive their IP addresses from a Cisco Wireless Controller (DHCP) using a virtual interface (1.1.6.1). When laptops are on the data center side of the network, they can access internet fine but not on the remote site. I've included a screenshot of the WLAN Controller page with the virtual interface just to help clarify if needed.

Anyway if you have any suggestions, great! If not, that's OK too. Either way, thank you so much for your time and can't tell you how much I appreciate you helping! Cheers!