Solved: Re: No Internet Access for Full Tunnel - Page 2

dianewalker · ‎02-24-2010

We have an ASA 5550, ver. 8.0(5) and using IPSEC clients to Remote Access into the Main Office. The Remote Access is working great with Split Tunnel. We can access network resources and get on the internet with Split Tunnel. However, we can only access the network resources, but no internet access for full tunnel. Do you have any suggestions?

Thanks.

Diane

Yudong Wu · ‎03-09-2010

I think everyone's suggestion in the previous posts are correct. Did you try those suggestions all together?

1. You do need "nat (Outside) 1 192.168.10.0 255.255.255.0" if 192/168.10.0/24 is ip pool for vpn client.

2. You do need a valid DNS server address

3. You do need "same-security-traffic permit intra-interface"

4. You'd better remove "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled"

By the way, when you ping www.google.com, is IP resolved?

In your log, I did not see any client IP 192.168.10.x but 192.168.1.1.

dianewalker · ‎03-10-2010

Thanks for your response, Kevin. I have tried those suggestions all together.

1. I added the NAT (Outside) 1 192.168.10.0 and still could not get on the internet. I removed the NAT (Inside) statements and added the Nat (Outside) 1 192.168.10.0. I could not get to the internal resources and internet.

2. I have a valid DNS server address

3. I have "same-security-traffic permit intra-interface" statement

4. Remove "route Inside 0.0.0.0 0.0.0.0 172.16.3.102 tunneled"

When I ping www.google.com, the IP address is not resolved. So, I had to ping Google's IP address instead.

It was my error, the IP address should be 192.168.10.0, not 192.168.1.0

Can you think of anything else? Thanks.

Diane

Yudong Wu · ‎03-10-2010

Can you ping IP address of www.google.com successfully?

If yes, your connectivity is good. It might be just DNS issue. When client is connected, use "nslookup" on client PC to see if it uses the correct DNS server and if DNS server can resolve the name to IP correctly.

dianewalker · ‎03-10-2010

Kevin,

I can now get on the internet. I put both NAT statements as recommended again by Nomair_83

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Outside) 1 192.168.10.0 255.255.255.0

I don't know why these NAT statements did not work in the previous posts.

I would like to thank you and everyone for taking time to help me out. You took time to read the posts and summarized what I should have in my config. You guys are truly amazing. I will go back and rate each post.

Thanks.

Diane

Yudong Wu · ‎03-10-2010

Diane,

Glad you made it work.

Just FYI. After you do any change on NAT commands, you'd better do a "clear xlate".

nomair_83 · ‎03-10-2010

Diane u dont have to remove nat (inside) commands and nat (outside) (vpn pool IP address) is required.

try to ping your dns server when connected and if it pings then try to browse google by IP : like http://IP of google.com.

try in command prompt ipconfig/flushdns

then try to browse/ping again..

dianewalker · ‎03-10-2010

Nomair_83

I can now get on the internet. I readded the Nat (Outside) statement per your recommendation. I don't know why these NAT statements did not work in the previous posts

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Outside) 1 192.168.10.0 255.255.255.0

I want to thank you and everyone for taking time to help me out. Your input has been very valuable. Each of your response has contributed to provide me with a solution. I will go back and rate each post.

Thanks.

Diane