cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1460
Views
5
Helpful
14
Replies
hxmengmetro
Beginner

No internet access through VPN router

Hi All,

I have setup one Cisco 851 router to do a site-to-site VPN to ASA5510. The VPN is working fine. I can reach any host behind ASA5510. But the host behind Cisco 851 can't go to the internet. I only configure the traffic to the subnet behind ASA5510 to go through VPN tunnel. The other traffic will go through 851's internet connection. The part of configuration is listed below. The traffic except the VPN will nat through Fa4. Do I miss something here?

Any help is appreciated.

interface FastEthernet4
ip address 24.xx.xx.xx 255.255.255.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1400
duplex auto
speed auto
crypto map SITE
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 24.xx.xx.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
ip tacacs source-interface Vlan1
!
ip access-list extended SITE
permit ip 10.5.x.0 0.0.0.255 10.x.0.0 0.255.255.255
ip access-list extended nonat
deny   ip 10.5.x.0 0.0.0.255 10.x.0.0 0.255.255.255
permit ip 10.5.x.0 0.0.0.255 any

Lou

2 ACCEPTED SOLUTIONS

Accepted Solutions
Jennifer Halim
Cisco Employee

Base on the subset of configuration, it looks correct, you should be able to browse to the Internet with the NAT configuration.

Do you have any ACL applied to your inside interface that might be blocking the access? If you perform traceroute, where does the traffic stop?

View solution in original post

Sorry, I might have missed your post earlier.

To answer your question, on the ASA, yes, you would need to configure NAT for the traffic from the router LAN.

Assuming your outside interface is called outside, and you have global statement with id 1:

nat (outside) 1 10.5.0.0 255.255.255.0

same-security-traffic permit intra-interface

That would also the 10.5.0.0/24 subnet to dynamically get PATed to the same global ip address configured, and allow traffic U-Turn on the ASA outside interface.

Hope that helps.

View solution in original post

14 REPLIES 14
Jennifer Halim
Cisco Employee

Base on the subset of configuration, it looks correct, you should be able to browse to the Internet with the NAT configuration.

Do you have any ACL applied to your inside interface that might be blocking the access? If you perform traceroute, where does the traffic stop?

View solution in original post

Thanks for your help. Yes, I missed one thing for it, the DNS settings. Forgot it last time.

The other question, if I want all the traffic go through VPN. So I need change my filter traffic from 10.x.x.0 255.0.0.0 to 0.0.0.0 0.0.0.0, right? The reason I want to do that is I want all the traffic go through the content filtering in the HQ.

Thanks.

Lou

From 10.x.x.0 255.0.0.0 to "any", yes, you are correct. However, you would also need to configure the same on the other end. Also remember the NAT exemption ACL.

Hi,

I added any to 10.5.x.x/24 in both 851 and ASA. Both ends matched. But still no internet traffic goes through. I see the packet coming from 851 gets into the ASA and then dropped by ASA. The packet tracer in ASA shows that. It is dropped by implict ACL rule on outside interface.

So this internet traffic coming through VPN gets routed by default route (any any internetedgeinterface). Then it doesn't go through the NAT and content filtering at all. I think this should be caused no NAT configured for this traffic. Currently all the outbound traffic through inside interface has a dynamic NAT. This traffic coming from outside needs another seperate NAT on outside interface. But when I tried to add one on outside interface, It doesn't allow me choose the usual internet edge IP. It only keeps the original IP to go out.

Please advise. Really appreciated.

Lou

Anyone can help this? Thanks.

Anyone can help? Thanks a lot!

Lou

Sorry, I might have missed your post earlier.

To answer your question, on the ASA, yes, you would need to configure NAT for the traffic from the router LAN.

Assuming your outside interface is called outside, and you have global statement with id 1:

nat (outside) 1 10.5.0.0 255.255.255.0

same-security-traffic permit intra-interface

That would also the 10.5.0.0/24 subnet to dynamically get PATed to the same global ip address configured, and allow traffic U-Turn on the ASA outside interface.

Hope that helps.

View solution in original post

Thanks a lot for your quick response. I configured "same-security-traffic permit intra-interface" and NAT for outside interface:

nat (outside) 1 10.5.0.0 255.255.255.0

same-security-traffic permit intra-interface

But when I packet trace the packet from outside interface, it still gets denied by implicit rule. It seems like "same-security-traffic permit intra-interface" doesn't take effect.

ASA# packet-tracer input outside tcp 10.5.0.200 www 69.147.125.65 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Do you mind sharing the full ASA config? It might be something else that might be the problem.

Sorry to get back late. Stuck on something else these days.

Here is the related configuration for the VPN:

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.41.117.68
crypto map outside_map 1 set transform-set ESP-AES-128-SHA

nat (outside) 1 10.5.0.0 255.255.255.0
nat (outside) 1 10.7.0.0 255.255.255.0
nat (outside) 1 10.8.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0


access-list inside_nat0_outbound line 8 extended permit ip any 10.5.0.0 255.255.255.0

access-list outside_1_cryptomap line 1 extended permit ip any 10.5.0.0 255.255.255.0

same-security-traffic permit intra-interface

route outside 0.0.0.0 0.0.0.0 64.220.22.33 1
route inside 10.0.0.0 255.0.0.0 10.11.11.11 1
route outside 10.5.0.0 255.255.255.0 64.220.22.33 1
route outside 10.7.0.0 255.255.255.0 64.220.22.33 1
route outside 10.8.0.0 255.255.255.0 64.220.22.33 1
route outside 10.107.0.0 255.255.255.0 64.220.22.33 1

Hey,

Could you also post the output of "show run global"? Packet tracer for VPN traffic at times does not give the right results. Do you see any syslogs on the ASA when accessing the internet from behind the router?

Cheers,

Prapanch

sh run global:

global (outside) 2 64.22.22.38-64.22.22.40 netmask 255.0.0.0
global (outside) 1 64.22.22.35 netmask 255.0.0.0

I haven't traced the logs when accessing the internet from the remote site router. I will try it later today.

Thanks a lot for helping me here.

Hi,

That looks ok. Did you manage to get the logs?

Cheers,

Prapanch

Thanks Guys. Actually I went to the site and had a test. Everything is working. The packet tracer in ASA is not a good tool for testing. It's lying.

As long as the same interface security intrainterface configured and nat outside configured. Things are working. Thanks guys for your great help!!

Lou

Content for Community-Ad