cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
619
Views
20
Helpful
17
Replies

ASA 5506X -- VPN up but no access to internet

Nogie
Beginner
Beginner

Hi,

I am trying to configure my asa to give internet access to my "LOCAL_NETWORK" endpoints. The ASA can ping out to google but endpoints inside the "LOCAL_NETWORK" cannot get to the internet. Also enpoints in the "LOCAL_HOME_NETWORK" can get to the internet.

Please see the configuration and let me know what I am doing wrong. Any pointers will be much appreciated.

Thanks

1 Accepted Solution

Accepted Solutions

@Nogie the ACL on the inside interface was only permitting traffic to CENTOS.ORG. You would need to add other rules to permit DNS/ICMP and anything else, such as wells fargo.

Example: permit ICMP and DNS.

access-list IN-OUT extended permit icmp any any
access-list IN-OUT extended permit udp any any eq 53

Or remove the ACL on the inside interface for testing.

View solution in original post

17 Replies 17

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Nogie you've no NAT configured for LOCAL_NETWORK, try this:-

object network LOCAL_NETWORK
nat (inside,outside) dynamic interface 


 

Hi,

I tried adding this entry but I still have the same problem. Any thoughts?

Thanks

@Nogie Run "show nat detail" and provide the output for review.

Run packet-tracer from the CLI to simulate the traffic flow and provide the output for review.

 

Please see results of the command and packet tracer (attached)

Thanks

@Nogie well the output of the packet-tracert confirms it should work, it uses the new NAT rules as suggested....so not sure why you it should not work.

How have you been testing this? Generate real traffic, you will need to do this from a device connected to the "inside" interface, with the ASA as it's default gateway.

Yes, I am using an endpoint within the LOCAL_NETWORK to test trying to actually reach https://mirrorlist.centos.org also tried https://wellsfargo.com

It appears as if the nat rule catching the traffic is the one going to the .71 site-to-site VPN network. 

@Nogie you've got a manual NAT rule that only translates traffic if it matches the exact source and destination (192.168.71.0), so unless centos.org and wellsfargo.com matches 192.168.71.0 I don't see why it would match that NAT rule. Your packet-tracer simulated the same traffic flow to centos.org and that hit the correct NAT rule.

Besides your ACL only permits traffic to CENTOS.ORG, not wellsfargo.com unless you've modified that ACL now?

How are you testing? Can the client even resolve the centos and wellsfargo websites, is DNS configured and can the DNS server reach the internet?

Clearly my understanding of this is very poor, please be patient with me. 

The endpoints cannot resolve centos as of yet. I just tested wellsfargo as a comparison. DNS is configured on the endpoint as 8.8.8.8 but it cannot reach 8.8.8.8 to get any DNS information. 

Since the endpoints can see the ASA, can I setup the ASA as a DNS (as well as the default gateway as it is now?).

@Nogie the ACL on the inside interface was only permitting traffic to CENTOS.ORG. You would need to add other rules to permit DNS/ICMP and anything else, such as wells fargo.

Example: permit ICMP and DNS.

access-list IN-OUT extended permit icmp any any
access-list IN-OUT extended permit udp any any eq 53

Or remove the ACL on the inside interface for testing.

I owe you a bottle of wine (or spirit of your choice!). I really appreciate your patience and expertise.

Thanks

Hi, I tried this but still having the same problem. Any thoughts?

Thanks

you can ping 8.8.8.8 after you add dynamic NAT as @Rob Ingram mention ?

see comment below 

Yes, from the ASA itself I have always been able to ping 8.8.8.8 but not from any endpoint within the LOCAL_NETWORK subnet.

#####

Mt-Kilimanjaro-ASA5506X-CLN(config-network-object)# ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

Mt-Kilimanjaro-ASA5506X-CLN(config-network-object)# exit

Mt-Kilimanjaro-ASA5506X-CLN(config)# sh ru 

####

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: