06-28-2011 09:10 PM - edited 02-21-2020 05:25 PM
I have set up a remote access ipsec vpn on an asa 5520. I can connect, and ping internal ip addresses, however I cannot ping back out to the internet, nor can the internal network ping the vpn clients and dns resolution internal or external does not work. I am seeing nothing blocked in the logs on the asa. Any suggestions on where to start troubleshooting?
06-28-2011 09:34 PM
First question is do you configure the remote vpn client to be with split tunnelling or without split tunneling.
If it's with split tunneling, it will use the vpn client local internet for anything which is not defined in the split tunnel ACL.
If it's no split tunnel (tunnelall), then all traffic is being routed back towards the ASA and for any internet traffic, you would also need to configure PAT for the vpn pool subnet so it is PATed to a public IP, and you also need to enable "same-security-traffic permit intra-interface" on the ASA.
06-29-2011 06:30 AM
There is not split tunneling, and I do have the same-security-traffic permit intra-interface option turned on.
06-30-2011 12:09 PM
Hi,
In additiona to the above, you may need...
1. nat (outside) 1 < remote vpn pool address> --> allows the VPN clients to outside.
2. I guess you already have nat (inside) 0 ACL -> inside --> VPN pool subnet, if so enable debug icmp trace and check where the packets dropped for 'ping' from Inside.
hth
MS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: