cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7784
Views
35
Helpful
21
Replies

No Internet Access for Full Tunnel

dianewalker
Level 1
Level 1

We have an ASA 5550, ver. 8.0(5) and using IPSEC clients to Remote Access into the Main Office.  The Remote Access is working great with Split Tunnel.  We can access network resources and get on the internet with Split Tunnel.  However, we can only access the network resources, but no internet access for full tunnel.  Do you have any suggestions?

Thanks.

Diane

7 Accepted Solutions

Accepted Solutions

Diane,

You need to nat  your RA VPN pool network  using  your global interface nat ID 1.

For full tunnel  add two more statements


same-security-traffic permit intra-interface

nat (outside) 1  

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

Regards

Jorge Rodriguez

View solution in original post

Hi,

Can u plz tell me that why your techsupport group policy doesnt have dns configured?

Since u are using full tunnel that u wont be access your home internet once connected so you have to have dns configured under group policy to use company internet.

HTH

View solution in original post

ok try adding the following(without removing dns)

sysopt connection permit-vpn

nat(outside) 1 (vpn pool)

then enable loggong on asa i.e. logging buffered debugging and loggin enable.

Then reconnect the client and try ping google.com or by google IP then tracert www.google.com and and paste the log output here.

by using show logging you should get any specific logs related to techsupport.

View solution in original post

You have this in your config:

route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled

This is causing all traffic from the vpnclients to be routed to the internal gateway (which will probably send it back to the ASA, but then you're going to have asymmetric traffic etc. so this is never going to work).

Do you really need this? If not: remove it, otherwise replace it with something like

route Inside 172.16.0.0 255.240.0.0 172.16.3.102 tunneled

hth

Herbert

View solution in original post

I think everyone's suggestion in the previous posts are correct. Did you try those suggestions all together?

1. You do need "nat (Outside) 1 192.168.10.0 255.255.255.0" if 192/168.10.0/24 is ip pool for vpn client.

2. You do need a valid DNS server address

3. You do need "same-security-traffic permit intra-interface"

4. You'd better remove "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled"

By the way, when you ping www.google.com, is IP resolved?

In your log, I did not see any client IP 192.168.10.x but 192.168.1.1.

View solution in original post

Diane u dont have to remove nat (inside) commands and nat (outside) (vpn pool IP address) is required.

try to ping your dns server when connected and if it pings then try to browse google by IP : like http://IP of google.com.

try in command prompt ipconfig/flushdns

then try to browse/ping again..

View solution in original post

Diane,

Glad you made it work.

Just FYI. After you do any change on NAT commands, you'd better do a "clear xlate".

View solution in original post

21 Replies 21

Lei Tian
Cisco Employee
Cisco Employee

Hi Diane,

Is that EZVPN? If the source is private IP, it will not access internet. It has to be somehow natted at the main office before get in internet.

HTH,

Lei Tian

Thanks for your prompt response, Lei.

It is not EZVPN.  I have natted statements:

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

access-list Inside_nat0_outbound extended permit ip any 10.100.24.0 255.255.248.0

Do you see anything wrong with the nat statements?  I am missing something.

Thanks.

Diane

Diane,

You need to nat  your RA VPN pool network  using  your global interface nat ID 1.

For full tunnel  add two more statements


same-security-traffic permit intra-interface

nat (outside) 1  

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

Regards

Jorge Rodriguez

Hi Jorge,

Thanks very much for the info.  I still cannot access the internet after adding those two statements.  Do you have any other suggestions?

Thanks.

Diane

Can  you post  sanitized asa config .

Jorge Rodriguez

Thanks Jorge for your prompt response.  Attached is the config file.  The SWS and Marketing groups can access the internal resources and internet.  However, the Techsupport group can only access the internal resources and no internet access.  The Techsupport group is setup as full tunnel.

Please let me know if you have any questions or need additional information.

Thanks very much for taking time to help me out.

Diane

Jorge,

Do you have any suggestions on how to debug why the full tunnel does not work?

Thanks.

Diane

Hi,

Can u plz tell me that why your techsupport group policy doesnt have dns configured?

Since u are using full tunnel that u wont be access your home internet once connected so you have to have dns configured under group policy to use company internet.

HTH

Thanks for taking time to respond.  I did not know that I need to put in the DNS for the group Techsupport.  Anyway, I put in the company DNS and still Techsupport cannot get to the internet.  Do you have any other suggestions?  Is there a way to debug why full tunnel can't get to the internet?

Thanks.

Diane

ok try adding the following(without removing dns)

sysopt connection permit-vpn

nat(outside) 1 (vpn pool)

then enable loggong on asa i.e. logging buffered debugging and loggin enable.

Then reconnect the client and try ping google.com or by google IP then tracert www.google.com and and paste the log output here.

by using show logging you should get any specific logs related to techsupport.

sorry I forgot one more command to configure which  is sysopt connection permit-vpn

Thanks for your prompt response.  What is the statement "sysopt connection permit-vpn"?  Do I remove it when I finish debugging?

Can you nat inside and outside?  I kept the DNS and added the NAT statement per your recommendation.  So, I have

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Outside) 1 192.168.10.0 255.255.255.0

Let me know if these are NOT correct.

Info:

My computer IP address 10.10.10.227

VPN pool 192.168.10.0 255.255.255.0

Subnet from the Management computer 172.16.163.0

Google IP address 66.102.7.147

I was not able to ping www.google.com or tracert to www.google.com. So, I did a tracert to Google's IP address 66.102.7.147.   Attached is the log file.

Thanks.

Diane

You have this in your config:

route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled

This is causing all traffic from the vpnclients to be routed to the internal gateway (which will probably send it back to the ASA, but then you're going to have asymmetric traffic etc. so this is never going to work).

Do you really need this? If not: remove it, otherwise replace it with something like

route Inside 172.16.0.0 255.240.0.0 172.16.3.102 tunneled

hth

Herbert

Thanks for your response, Herbert.  Can you explain to me what is asymmetrical traffic?  I am not sure if I needed that route statement "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled".  By remove that route statement, it makes no difference.  I still could not get on the internet.  Do you have any other suggestions?

Thanks.

Diane