Cisco not allowing LAN to browse internet but VPN is ok

I'm having troubles browsing the internet behind my asa firewall.. Unsure what mistakes I make but please see running config below.

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 33.35.28.138 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 192.168.253.1 255.255.255.0
!
!
interface GigabitEthernet0/3.50
 description office-wireless
 vlan 50
 nameif office-wireless
 security-level 99
 ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/3.51
 description guest-wireless
 vlan 51
 nameif -guest-wireless
 security-level 90
 ip address 192.168.51.1 255.255.255.0
!
access-list permitall extended permit ip any any
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu pdb-office-wireless 1500
mtu pdb-guest-wireless 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 33.35.28.142 1
LVL 1
SuperRootAsked:
Who is Participating?
 
asavenerConnect With a Mentor Commented:
Forgot to add the "clear xlate" after that last command.


Next, can you try this:

From you workstation, "ping -t 4.2.2.2".

Then execute "show xlate" on the ASA and provide the output, here.  Also, if you could provide the output of "show version".
0
 
asavenerCommented:
global (outside) 101 interface

This should be "global (outside) 0 interface"
0
 
SuperRootAuthor Commented:
I tried it and this is what I get:

ciscoasa(config)# global (outside) 0 interface
invalid nat_id
Usage: [no] global (<ext_if_name>) <nat_id> {<global_ip>[-<global_ip>] [netmask <global_mask>]} | interface
        show running-config [all] global [(<ext_if_name>)] [<nat_id>]
        clear configure global
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
asavenerConnect With a Mentor Commented:
Sorry, I messed up.

no global (outside) 101 interface
no nat (inside) 0 0.0.0.0 0.0.0.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
0
 
SuperRootAuthor Commented:
Thanks for your help! I tried it but still didn't work.. I'm confused...

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 33.35.28.138 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 192.168.253.1 255.255.255.0
!
!
interface GigabitEthernet0/3.50
 description office-wireless
 vlan 50
 nameif office-wireless
 security-level 99
 ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/3.51
 description guest-wireless
 vlan 51
 nameif guest-wireless
 security-level 90
 ip address 192.168.51.1 255.255.255.0
!
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group PDB-DC-Group
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu office-wireless 1500
mtu guest-wireless 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0  33.35.28.142 1
0
 
asavenerCommented:
Try running "clear xlate".
0
 
SuperRootAuthor Commented:
Still not good. :( I can't even yahoo.com ip address. Also, when I added the nat rules, I'm not able to go to the vpn... :(
0
 
asavenerCommented:
What is the subnet for your VPN?
0
 
SuperRootAuthor Commented:
Thanks for your help! we have a site to site vpn setup. The subnet is 192.168.254.x 255.255.255.0. What's weird is that we can connect to vpn ok with out the nat policies but can't connect to the internet. Also even if I disabled the vpn, I still can't get to the internet.
0
 
asavenerConnect With a Mentor Commented:
Yes, it's an order of operations issue.  NAT occurs before crypto, so your traffic is getting NAT'd to the external address, which means it doesn't match the VPN policy.

So, next thing to do is exclude the VPN destination from the NAT rules:


access-list no-nat extended permit ip any 192.168.254.0 255.255.255.0
nat (inside) 0 access-list no-nat
0
 
SuperRootAuthor Commented:
got it working now.. I tried it first on the wireless I guess I can replicate on the inside interface tonight.. I'll let you know later tonight how it goes :)

nat (office-wireless) 0 access-list pdb-office-wireless_nat0_outbound
nat (office-wireless) 1 access-list pdb-office-wireless_nat_outbound

access-list office-wireless_nat_outbound extended permit ip 192.168.50.0 255.255.255.0 any

global (outside) 1 interface
0
 
asavenerCommented:
Yup.   Attempting it from a different interface will definitely affect your results!
0
 
SuperRootAuthor Commented:
now I need help configuring the intervlan communication. I enabled the following but still didn't work. :( I'm assuming I can use one right?

cisco(config)# sh runn same-security-traffic
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
0
 
SuperRootAuthor Commented:
Manage to make everything work now.. Steps I did are as follows:

1. Created the acl list nonat for inside as well as for office-wireless
2. Created the dynamic nat rule from inside to office-wireless and office-wireless to inside
3. Apply those access list to the right interface.
4. Pray to heavens that things will work. :)

Everything starts working :)

Thanks for all your help!
0
All Courses

From novice to tech pro — start learning today.