Cisco site-to-site VPN - Cannot browse web

Posted on 2011-05-06
Medium Priority
Last Modified: 2012-08-13
I have two sites, each with a Cisco ASA 5505, and a site-to-site VPN between them. Site A is my main office and has no problems. At Site B, the ASA 5505 is on the inside of a DSL router and is acting as my DHCP server. The DSL router is in bridge mode with NAT disabled, and I authenticate to the DSL over PPPoE configured on the ASA.

The VPN tunnel is up, and traffic passes over the VPN with no problem.

At site B, users can access internal resources at site A; however, no one can browse the web, even though name resolution is OK.

I suspect something is misconfigured either in the DSL router or in the ASA.

What do I do?

Question by:sf09er

Expert Comment

ID: 35708934
It sounds like there is a missing route(s) on the site A ASA to route Internet traffic coming in from site B to the Internet.  You will need to examine the configuration of the ASA on site A to see where the problem is.

Expert Comment

ID: 35708935
Is there a GPO setting that is sending you to a PROXY or forcing you to authenticate using a RAOMING profile?

Accepted Solution

sf09er earned 0 total points
ID: 35709104
I had neglected to assign of my usable IP addresses to the Dynamic NAT rule on the ASA. All is well.
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

LVL 10

Expert Comment

ID: 35709537
On some of the DSL modems besides having the unit in bridge mode you have to further config the unit with public IPs on both the DSL WAN interface and the DSL LAN interface the DSL manufacturer can help you with this configuration,  I have had to do this particularly on QWest Actiontec DSLs.
LVL 10

Expert Comment

ID: 35709575
BTW since you will probably need to have the DSL LAN on a static Public IP you also have to have the port on the 5505 as a static public IP address so you will need a block of static IPs from your ISP and then configure the 5505 as your internal DHCP server..  As I said before a call to the DSL manufacturer support will answer the question before you order the block of static ips from your ISP, as I doubt your ISP will provide a block of static ips to test with but you can ask...

Author Closing Comment

ID: 35735935
I had neglected to assign one of my usable IP addressess to the Dynamic NAT rule on the ASA.

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question