Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7779
Views
35
Helpful
21
Replies

No Internet Access for Full Tunnel

Go to solution
dianewalker
Level 1
Level 1

‎02-24-2010 02:49 PM

We have an ASA 5550, ver. 8.0(5) and using IPSEC clients to Remote Access into the Main Office.  The Remote Access is working great with Split Tunnel.  We can access network resources and get on the internet with Split Tunnel.  However, we can only access the network resources, but no internet access for full tunnel.  Do you have any suggestions?

Thanks.

Diane

1 person had this problem
Labels:
0 Helpful
7 Accepted Solutions

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to dianewalker

‎02-25-2010 09:44 PM

Diane,

You need to nat  your RA VPN pool network  using  your global interface nat ID 1.

For full tunnel  add two more statements


same-security-traffic permit intra-interface

nat (outside) 1  

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

Regards

Jorge Rodriguez

View solution in original post

Go to solution
nomair_83
Level 3
Level 3
In response to dianewalker

‎03-09-2010 10:42 AM

Hi,

Can u plz tell me that why your techsupport group policy doesnt have dns configured?

Since u are using full tunnel that u wont be access your home internet once connected so you have to have dns configured under group policy to use company internet.

HTH

View solution in original post

Go to solution
nomair_83
Level 3
Level 3
In response to dianewalker

‎03-09-2010 11:24 AM

ok try adding the following(without removing dns)

sysopt connection permit-vpn

nat(outside) 1 (vpn pool)

then enable loggong on asa i.e. logging buffered debugging and loggin enable.

Then reconnect the client and try ping google.com or by google IP then tracert www.google.com and and paste the log output here.

by using show logging you should get any specific logs related to techsupport.

View solution in original post

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to dianewalker

‎03-09-2010 02:19 PM

You have this in your config:

route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled

This is causing all traffic from the vpnclients to be routed to the internal gateway (which will probably send it back to the ASA, but then you're going to have asymmetric traffic etc. so this is never going to work).

Do you really need this? If not: remove it, otherwise replace it with something like

route Inside 172.16.0.0 255.240.0.0 172.16.3.102 tunneled

hth

Herbert

View solution in original post

Go to solution
Yudong Wu
Level 7
Level 7
In response to dianewalker

‎03-09-2010 11:23 PM

I think everyone's suggestion in the previous posts are correct. Did you try those suggestions all together?

1. You do need "nat (Outside) 1 192.168.10.0 255.255.255.0" if 192/168.10.0/24 is ip pool for vpn client.

2. You do need a valid DNS server address

3. You do need "same-security-traffic permit intra-interface"

4. You'd better remove "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled"

By the way, when you ping www.google.com, is IP resolved?

In your log, I did not see any client IP 192.168.10.x but 192.168.1.1.

View solution in original post

Go to solution
nomair_83
Level 3
Level 3
In response to Yudong Wu

‎03-10-2010 11:07 AM

Diane u dont have to remove nat (inside) commands and nat (outside) (vpn pool IP address) is required.

try to ping your dns server when connected and if it pings then try to browse google by IP : like http://IP of google.com.

try in command prompt ipconfig/flushdns

then try to browse/ping again..

View solution in original post

Go to solution
Yudong Wu
Level 7
Level 7
In response to dianewalker

‎03-10-2010 12:09 PM

Diane,

Glad you made it work.

Just FYI. After you do any change on NAT commands, you'd better do a "clear xlate".

View solution in original post

21 Replies 21

Go to solution
Lei Tian
Cisco Employee
Cisco Employee

‎02-24-2010 03:34 PM

Hi Diane,

Is that EZVPN? If the source is private IP, it will not access internet. It has to be somehow natted at the main office before get in internet.

HTH,

Lei Tian

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to Lei Tian

‎02-25-2010 08:45 PM

Thanks for your prompt response, Lei.

It is not EZVPN.  I have natted statements:

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

access-list Inside_nat0_outbound extended permit ip any 10.100.24.0 255.255.248.0

Do you see anything wrong with the nat statements?  I am missing something.

Thanks.

Diane

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to dianewalker

‎02-25-2010 09:44 PM

Diane,

You need to nat  your RA VPN pool network  using  your global interface nat ID 1.

For full tunnel  add two more statements


same-security-traffic permit intra-interface

nat (outside) 1  

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

Regards

Jorge Rodriguez

Go to solution
dianewalker
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎03-03-2010 11:10 AM

Hi Jorge,

Thanks very much for the info.  I still cannot access the internet after adding those two statements.  Do you have any other suggestions?

Thanks.

Diane

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to dianewalker

‎03-03-2010 03:48 PM

Can  you post  sanitized asa config .

Jorge Rodriguez
0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎03-04-2010 03:32 PM

Thanks Jorge for your prompt response.  Attached is the config file.  The SWS and Marketing groups can access the internal resources and internet.  However, the Techsupport group can only access the internal resources and no internet access.  The Techsupport group is setup as full tunnel.

Please let me know if you have any questions or need additional information.

Thanks very much for taking time to help me out.

Diane

61783-asa550.txt.zip
0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to dianewalker

‎03-09-2010 08:32 AM

Jorge,

Do you have any suggestions on how to debug why the full tunnel does not work?

Thanks.

Diane

0 Helpful

Go to solution
nomair_83
Level 3
Level 3
In response to dianewalker

‎03-09-2010 10:42 AM

Hi,

Can u plz tell me that why your techsupport group policy doesnt have dns configured?

Since u are using full tunnel that u wont be access your home internet once connected so you have to have dns configured under group policy to use company internet.

HTH

Go to solution
dianewalker
Level 1
Level 1
In response to nomair_83

‎03-09-2010 11:01 AM

Thanks for taking time to respond.  I did not know that I need to put in the DNS for the group Techsupport.  Anyway, I put in the company DNS and still Techsupport cannot get to the internet.  Do you have any other suggestions?  Is there a way to debug why full tunnel can't get to the internet?

Thanks.

Diane

0 Helpful

Go to solution
nomair_83
Level 3
Level 3
In response to dianewalker

‎03-09-2010 11:24 AM

ok try adding the following(without removing dns)

sysopt connection permit-vpn

nat(outside) 1 (vpn pool)

then enable loggong on asa i.e. logging buffered debugging and loggin enable.

Then reconnect the client and try ping google.com or by google IP then tracert www.google.com and and paste the log output here.

by using show logging you should get any specific logs related to techsupport.

Go to solution
nomair_83
Level 3
Level 3
In response to nomair_83

‎03-09-2010 11:26 AM

sorry I forgot one more command to configure which  is sysopt connection permit-vpn

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to nomair_83

‎03-09-2010 01:31 PM

Thanks for your prompt response.  What is the statement "sysopt connection permit-vpn"?  Do I remove it when I finish debugging?

Can you nat inside and outside?  I kept the DNS and added the NAT statement per your recommendation.  So, I have

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Outside) 1 192.168.10.0 255.255.255.0

Let me know if these are NOT correct.

Info:

My computer IP address 10.10.10.227

VPN pool 192.168.10.0 255.255.255.0

Subnet from the Management computer 172.16.163.0

Google IP address 66.102.7.147

I was not able to ping www.google.com or tracert to www.google.com. So, I did a tracert to Google's IP address 66.102.7.147.   Attached is the log file.

Thanks.

Diane

61989-logging.txt.zip
0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to dianewalker

‎03-09-2010 02:19 PM

You have this in your config:

route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled

This is causing all traffic from the vpnclients to be routed to the internal gateway (which will probably send it back to the ASA, but then you're going to have asymmetric traffic etc. so this is never going to work).

Do you really need this? If not: remove it, otherwise replace it with something like

route Inside 172.16.0.0 255.240.0.0 172.16.3.102 tunneled

hth

Herbert

Go to solution
dianewalker
Level 1
Level 1
In response to Herbert Baerten

‎03-09-2010 02:43 PM

Thanks for your response, Herbert.  Can you explain to me what is asymmetrical traffic?  I am not sure if I needed that route statement "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled".  By remove that route statement, it makes no difference.  I still could not get on the internet.  Do you have any other suggestions?

Thanks.

Diane

0 Helpful
Customers Also Viewed These Support Documents