ASA 5520 ipsec vpn dns issues

warriorforGod · ‎06-28-2011

I have set up a remote access ipsec vpn on an asa 5520. I can connect, and ping internal ip addresses, however I cannot ping back out to the internet, nor can the internal network ping the vpn clients and dns resolution internal or external does not work. I am seeing nothing blocked in the logs on the asa. Any suggestions on where to start troubleshooting?

Jennifer Halim · ‎06-28-2011

First question is do you configure the remote vpn client to be with split tunnelling or without split tunneling.

If it's with split tunneling, it will use the vpn client local internet for anything which is not defined in the split tunnel ACL.

If it's no split tunnel (tunnelall), then all traffic is being routed back towards the ASA and for any internet traffic, you would also need to configure PAT for the vpn pool subnet so it is PATed to a public IP, and you also need to enable "same-security-traffic permit intra-interface" on the ASA.

warriorforGod · ‎06-29-2011

There is not split tunneling, and I do have the same-security-traffic permit intra-interface option turned on.

mvsheik123 · ‎06-30-2011

Hi,

In additiona to the above, you may need...

1. nat (outside) 1 < remote vpn pool address> --> allows the VPN clients to outside.

2. I guess you already have nat (inside) 0 ACL -> inside --> VPN pool subnet, if so enable debug icmp trace and check where the packets dropped for 'ping' from Inside.

hth

MS