pault01
asked on
Cisco ASA Site to Site VPN, can't get traffic destined for the internet not to go through the tunnel.
Hi Experts,
I have a Site to Site VPN between a ASA 5506-X and ASA 5512-X. The VPN is working fine all traffic is flowing in both directions through the tunnel. The problem I have is, on the remote site if I want the server to access the internet directly, it can't as I think all requests are being sent through the tunnel. I suspect it is to do with NAT, I have tried a few things to divert traffic not destined for the head office to not be sent through the tunnel but so far I have had no luck. I have attached the configuration for the remote site ASA config.
In summary, I need the server on the DMZ interface (192.168.35.0/24) to pass traffic through the tunnel to the remote network 192.168.1.0/24, all other traffic to not go through the tunnel. At the moment the VPN is working, but internet requests are failing,
Thanks in advance!!
Paul
Config.txt
I have a Site to Site VPN between a ASA 5506-X and ASA 5512-X. The VPN is working fine all traffic is flowing in both directions through the tunnel. The problem I have is, on the remote site if I want the server to access the internet directly, it can't as I think all requests are being sent through the tunnel. I suspect it is to do with NAT, I have tried a few things to divert traffic not destined for the head office to not be sent through the tunnel but so far I have had no luck. I have attached the configuration for the remote site ASA config.
In summary, I need the server on the DMZ interface (192.168.35.0/24) to pass traffic through the tunnel to the remote network 192.168.1.0/24, all other traffic to not go through the tunnel. At the moment the VPN is working, but internet requests are failing,
Thanks in advance!!
Paul
Config.txt
You have no dynamic PAT rule for the DMZ buddy, only static ones,
enter these commands
!
network object OBJ-DMZ-PAT
network 192.168.35.0 255.255.255.0
nat (DMZ, outside) dynamic interface
!
You already have an ACL to allow the traffic out, so that should be all you need, to test, go on a DMZ server and google "what's my ip" it should return the IP of the outside interface of the firewall.
Job done
</P>
enter these commands
!
network object OBJ-DMZ-PAT
network 192.168.35.0 255.255.255.0
nat (DMZ, outside) dynamic interface
!
You already have an ACL to allow the traffic out, so that should be all you need, to test, go on a DMZ server and google "what's my ip" it should return the IP of the outside interface of the firewall.
Job done
</P>
ASKER
Hi Pete,
Thanks for your assistance. It did help with getting internal access onto the internet.
I have another interesting problem now that I can get on the internet. I don't seem to be able to access certain sites. For example, I can't use google.com, but I can use bing. I can access News sites in New Zealand i.e. www.stuff.co.nz but I can't access youtube and facebook. I need to be able to send emails to our smtp relay provider online and it times out. This is all related to the internet only working for some sites.
Any ideas or thoughts on what could be causing this would be greatly appreciated.
Paul
Thanks for your assistance. It did help with getting internal access onto the internet.
I have another interesting problem now that I can get on the internet. I don't seem to be able to access certain sites. For example, I can't use google.com, but I can use bing. I can access News sites in New Zealand i.e. www.stuff.co.nz but I can't access youtube and facebook. I need to be able to send emails to our smtp relay provider online and it times out. This is all related to the internet only working for some sites.
Any ideas or thoughts on what could be causing this would be greatly appreciated.
Paul
From the DMZ? What's set in the network card properties of this server in the DNS section? if you set it to 8.8.8.8 does the problem go away?
ASKER
Hi Pete,
The server is a remote Domain Controller, for DR. The server has the AD and DNS roles installed. If I add the google dns servers to the list of dns forwarders in the DNS properties (screenshot included), they don't validate, where my isp's dns servers do, I suspect this is all related to why internet connectivity is limited.
Thanks for your assistance.
Paul
DNS-Forwarders.png
The server is a remote Domain Controller, for DR. The server has the AD and DNS roles installed. If I add the google dns servers to the list of dns forwarders in the DNS properties (screenshot included), they don't validate, where my isp's dns servers do, I suspect this is all related to why internet connectivity is limited.
Thanks for your assistance.
Paul
DNS-Forwarders.png
ASKER
Thanks for your comments Fred. The information is for older versions of ASA. I believe the internet issue is resolved, the problem has now moved onto limited access. Whether this is due to DNS and/or the fact I'm on a domain controller is still being determined.
Wheres this DNS server physically?
You may be seeing EDNS problems? see this article I wrote a while ago.
Pete
You may be seeing EDNS problems? see this article I wrote a while ago.
Pete
A site to site VPN shoukd not require nor does spkitunnel applies.
Site A
Gateway
Lan
Site b
Gateway
lAn
So long as the access list applied to the VPN crypto map shoukd only gave lan to LAN and not include 0.0.0.0
Show crypto iskamp
Show crypti IPSec sa
Site A
Gateway
Lan
Site b
Gateway
lAn
So long as the access list applied to the VPN crypto map shoukd only gave lan to LAN and not include 0.0.0.0
Show crypto iskamp
Show crypti IPSec sa
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
http://www.deltadata.dk/vejledninger/ios/split-tunnel.htm
There may be details to be addressed but that's more up to you I should think.