Cisco site-to-site VPN - Cannot browse web

I have two sites, each with a Cisco ASA 5505, and a site-to-site VPN between them. Site A is my main office and has no problems. At Site B, the ASA 5505 is on the inside of a DSL router and is acting as my DHCP server. The DSL router is in bridge mode with NAT disabled, and I authenticate to the DSL over PPPoE configured on the ASA.

The VPN tunnel is up, and traffic passes over the VPN with no problem.

At site B, users can access internal resources at site A; however, no one can browse the web, even though name resolution is OK.

I suspect something is misconfigured either in the DSL router or in the ASA.

What do I do?

Who is Participating?
sf09erAuthor Commented:
I had neglected to assign of my usable IP addresses to the Dynamic NAT rule on the ASA. All is well.
It sounds like there is a missing route(s) on the site A ASA to route Internet traffic coming in from site B to the Internet.  You will need to examine the configuration of the ASA on site A to see where the problem is.
Is there a GPO setting that is sending you to a PROXY or forcing you to authenticate using a RAOMING profile?
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

On some of the DSL modems besides having the unit in bridge mode you have to further config the unit with public IPs on both the DSL WAN interface and the DSL LAN interface the DSL manufacturer can help you with this configuration,  I have had to do this particularly on QWest Actiontec DSLs.
BTW since you will probably need to have the DSL LAN on a static Public IP you also have to have the port on the 5505 as a static public IP address so you will need a block of static IPs from your ISP and then configure the 5505 as your internal DHCP server..  As I said before a call to the DSL manufacturer support will answer the question before you order the block of static ips from your ISP, as I doubt your ISP will provide a block of static ips to test with but you can ask...
sf09erAuthor Commented:
I had neglected to assign one of my usable IP addressess to the Dynamic NAT rule on the ASA.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.