03-17-2008 04:25 PM
VPN clients can get to all internal servers/DMZ but not the Internet. This is the partial config of the ASA. TIA
VPN Pool 10.17.70.0
DMZ 192.168.100.0
Internal 172.0.0.0
-------------------------------------
access-list nonatdmz extended permit ip any 192.168.100.0 255.255.255.0
access-list nonatdmz extended permit ip 172.0.0.0 255.0.0.0 10.17.70.0 255.255.255.0
access-list splittunnel standard permit 172.0.0.0 255.0.0.0
global (Outside) 10 interface
global (Businesspartner) 10 interface
nat (Inside) 0 access-list nonatdmz
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 10 0.0.0.0 0.0.0.0
Solved! Go to Solution.
03-18-2008 06:25 PM
Vinnie, glad you are getting there.
to telnet to asa through vpn session you need to add this statement.
management-access inside
In this same link see split tunnel vs Allow local lan only access, you can learn the diferences and you will understand better your asa configuration pertaining to ra vpn.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
03-17-2008 06:06 PM
you need to nat vpn pool network for outbound internet.
e.i
nat (outside) 10 10.17.70.0
03-18-2008 11:08 AM
Vinnie, just following up, have your problem been resolve by adding the nat statement for vpn network internet access..please let us know if problem still exist .
Rgds
Jorge
03-18-2008 12:02 PM
After including the following line:
nat (Outside) 10 10.17.70.0
the problem still exists. When I tried ipconfig at the command prompt,the default gateway ip shows up as 10.17.70.1 which is non-existent.
-Vinnie
03-18-2008 12:36 PM
When the client connects via remote access VPN, its gateway will be its own IP that is assigned by the VPN gateway.
Bcz remote access VPN is point to point connection between client and server so there is no need to have gateway, client send all traffic to vpn gateway.
you need to make nat(inside) and global outside for the remote access client IP.
I am assuming that client are clients are coming from inside of firewall, if they are attached with the dmz side, make the nat(dmz).
03-18-2008 12:28 PM
It does not appear that our split tunnel is applied.
03-18-2008 12:31 PM
Also you need a NAT outside for the VPN Clients since that ASA sees them as outside entities. Use ASDM and look at the logging it is a very useful tool to clear up this problem.
03-18-2008 02:30 PM
Great news, we can browse the Internet after Splitunnel was implemented. What is Splitunnel anyway? We also have a new issue came up after Splitunnel was configured we're no longer be able to Telnet to the ASA
Current telnet configurations are as below.
telnet 10.17.70.0 255.255.255.0 Outside
telnet 172.17.0.0 255.255.0.0 Inside
Thanks for your great help.
Vinnie
03-18-2008 06:25 PM
Vinnie, glad you are getting there.
to telnet to asa through vpn session you need to add this statement.
management-access inside
In this same link see split tunnel vs Allow local lan only access, you can learn the diferences and you will understand better your asa configuration pertaining to ra vpn.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide