Cisco not allowing LAN to browse internet but VPN is ok

I'm having troubles browsing the internet behind my asa firewall.. Unsure what mistakes I make but please see running config below.

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 33.35.28.138 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 192.168.253.1 255.255.255.0
!
!
interface GigabitEthernet0/3.50
 description office-wireless
 vlan 50
 nameif office-wireless
 security-level 99
 ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/3.51
 description guest-wireless
 vlan 51
 nameif -guest-wireless
 security-level 90
 ip address 192.168.51.1 255.255.255.0
!
access-list permitall extended permit ip any any
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu pdb-office-wireless 1500
mtu pdb-guest-wireless 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 33.35.28.142 1
LVL 1
SuperRootAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
global (outside) 101 interface

This should be "global (outside) 0 interface"
0
SuperRootAuthor Commented:
I tried it and this is what I get:

ciscoasa(config)# global (outside) 0 interface
invalid nat_id
Usage: [no] global (<ext_if_name>) <nat_id> {<global_ip>[-<global_ip>] [netmask <global_mask>]} | interface
        show running-config [all] global [(<ext_if_name>)] [<nat_id>]
        clear configure global
0
asavenerCommented:
Sorry, I messed up.

no global (outside) 101 interface
no nat (inside) 0 0.0.0.0 0.0.0.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

SuperRootAuthor Commented:
Thanks for your help! I tried it but still didn't work.. I'm confused...

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 33.35.28.138 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 192.168.253.1 255.255.255.0
!
!
interface GigabitEthernet0/3.50
 description office-wireless
 vlan 50
 nameif office-wireless
 security-level 99
 ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/3.51
 description guest-wireless
 vlan 51
 nameif guest-wireless
 security-level 90
 ip address 192.168.51.1 255.255.255.0
!
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group PDB-DC-Group
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu office-wireless 1500
mtu guest-wireless 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0  33.35.28.142 1
0
asavenerCommented:
Try running "clear xlate".
0
SuperRootAuthor Commented:
Still not good. :( I can't even yahoo.com ip address. Also, when I added the nat rules, I'm not able to go to the vpn... :(
0
asavenerCommented:
What is the subnet for your VPN?
0
SuperRootAuthor Commented:
Thanks for your help! we have a site to site vpn setup. The subnet is 192.168.254.x 255.255.255.0. What's weird is that we can connect to vpn ok with out the nat policies but can't connect to the internet. Also even if I disabled the vpn, I still can't get to the internet.
0
asavenerCommented:
Yes, it's an order of operations issue.  NAT occurs before crypto, so your traffic is getting NAT'd to the external address, which means it doesn't match the VPN policy.

So, next thing to do is exclude the VPN destination from the NAT rules:


access-list no-nat extended permit ip any 192.168.254.0 255.255.255.0
nat (inside) 0 access-list no-nat
0
asavenerCommented:
Forgot to add the "clear xlate" after that last command.


Next, can you try this:

From you workstation, "ping -t 4.2.2.2".

Then execute "show xlate" on the ASA and provide the output, here.  Also, if you could provide the output of "show version".
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SuperRootAuthor Commented:
got it working now.. I tried it first on the wireless I guess I can replicate on the inside interface tonight.. I'll let you know later tonight how it goes :)

nat (office-wireless) 0 access-list pdb-office-wireless_nat0_outbound
nat (office-wireless) 1 access-list pdb-office-wireless_nat_outbound

access-list office-wireless_nat_outbound extended permit ip 192.168.50.0 255.255.255.0 any

global (outside) 1 interface
0
asavenerCommented:
Yup.   Attempting it from a different interface will definitely affect your results!
0
SuperRootAuthor Commented:
now I need help configuring the intervlan communication. I enabled the following but still didn't work. :( I'm assuming I can use one right?

cisco(config)# sh runn same-security-traffic
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
0
SuperRootAuthor Commented:
Manage to make everything work now.. Steps I did are as follows:

1. Created the acl list nonat for inside as well as for office-wireless
2. Created the dynamic nat rule from inside to office-wireless and office-wireless to inside
3. Apply those access list to the right interface.
4. Pray to heavens that things will work. :)

Everything starts working :)

Thanks for all your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.