02-19-2017 07:38 PM - edited 02-21-2020 09:10 PM
Hi,
I have configured cisco remote ipsec vpn and enabled split tunneling.
However, the users are able to access internet after connection but not the local area network behind the firewall.
The vpn group is francevpn.
Config attached.
02-19-2017 08:11 PM
Hi
To allow vpn users to access your inside you're missing the nonat statement:
access-list nonat extended permit ip 10.30.1.0 255.255.255.0 10.20.47.0 255.255.255.0
--> you need to add acl statements for all your vpn pool
nat (inside) 0 access-list nonat
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
02-19-2017 09:19 PM
Hi
I have used the below command for the VPN pool subnet to access the inside network.Still no luck
access-list nonat extended permit ip 10.30.1.0 255.255.255.0 10.20.53.0 255.255.255.0
nat (inside) 0 access-list nonat
Am I missing something again. Please advise.
02-20-2017 07:05 AM
Hi
Any further suggestion anyone.
I know it's related to NAT entry as I am getting decaps but no encaps.
02-20-2017 08:18 AM
Could you add the following command and let us know: (you need to keep the acl and nat statement done before)
same-security-traffic permit intra-interface
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
02-20-2017 01:26 PM
Hi
These are the commands that I entered
access-list nonat extended permit ip 10.30.1.0 255.255.255.0 10.20.47.0 255.255.255.0
nat (inside) 0 access-list nonat
same-security-traffic permit intra-interface
Using mobilvpn as the VPN group - with this I am able to access the internal network but not the internet when connected.
Do you need any logs from the ASA?
Thanks in advance
02-20-2017 03:23 PM
Hi
Sorry. I was just wondering to solve your issue about nat exemption.
To nat your VPN and also all inside to access internet, you'll need to add the following lines:
nat (outside) 1 10.20.47.0 255.255.255.0 ==> Your VPN pool to grant access to internet
nat (inside) 1 0.0.0.0 0.0.0.0
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
02-20-2017 05:19 PM
Hi
Still having the same issue of remote VPN users not able to access internet on their end.
Able to access inside network (site they are connecting to via cisco vpn client) with out any issue.
Is my split tunneling configuration okay?
Thanks
02-20-2017 06:14 PM
What's the group-policy you're using?
02-20-2017 07:59 PM
Hi,
With group policy francevpn (tunnel-group - francevpn) I am able to access the internet on my end while connected to the vpn client but not able to access inside network.
With group policy MobilGrp (tunnel group - mobilvpn) I am able to access the inside network but not able to browse the internet.
Thanks
02-20-2017 08:11 PM
Ok could you paste the actual config toi see what changes have been done and what is missing.
02-21-2017 12:59 AM
Attached is the config
02-21-2017 12:59 AM
Hi
Any suggestion as to what configuration is missing.
Thanks
02-21-2017 05:41 AM
Ok sorry for my late input but I'm in EST timezone and I don't know which timezone you're.
Your concern is to give internet access to your mobilpool vpn, right? It's 10.20.47.0/24
I took a look on your acl and you authorized some accesses but not everything to internet.
For test purpose, can you add the following acls and try again:
access-list outside_access_in extended permit tcp 10.20.47.0 255.255.255.0 any eq www
access-list outside_access_in extended permit tcp 10.20.47.0 255.255.255.0 any eq https
Maybe after all the allow, you should add a deny from that subnet to all private RFC1918 subnets and allow everything else going to internet, based on what you want to achieve.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
02-21-2017 03:07 PM
Hi
Added the ACLs to the ASA but the internet still won't work.
Is there any other details we are missing?
I am in the AEST time zone.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide