LT2P vpn configuration on cisco asa with windows/mac machine internet problem

Answered Question
May 2nd, 2010
User Badges:

Dear All,


I have successfully configured L2TP vpn configuration on asa 5510 with 8.0(4) version of IOS.

When I connect using this vpn my internet doesnt work. Even if I give proxy or dns or I remove proxy

It doesnt work. only the resources behind the firewall I can access. I am using extended access-list

I tried with standard access-list also.


Kindly please suggest as what mistake could be.


Thanks

Jv

Correct Answer by Jennifer Halim about 7 years 2 months ago

Split tunnel for L2TP over IPSec tunnel is not configured on the head end (ASA), it needs to be configured on the client itself as per the following article from Microsoft:


http://technet.microsoft.com/en-us/library/bb878117.aspx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jvalin__s Sun, 05/02/2010 - 23:55
User Badges:

Hi,


The internet problem on windows is solved but what about macintosh machine??

jvalin__s Mon, 05/03/2010 - 00:29
User Badges:

Hi Halijenn,


Thanks for link, but if I uncheck the "send all traffice to vpn" then I cant access the resources behind the firewall.


Regards,

jvalin__s Mon, 05/03/2010 - 03:00
User Badges:

Halijenn,


After removing the default gateway from windows machine the internet started working but

I cant access the resources behind firewall. meaning I cant ping or access the servers behind firewall.


Regards

Jvalin

Jennifer Halim Mon, 05/03/2010 - 04:07
User Badges:
  • Cisco Employee,

Did you explicitly configure the route statement for the corporate internal subnets as per the Microsoft URL provided? You would need to explicitly add route on the client for the corporate internal subnets, as well as unchecking the "Use default gateway on remote network" option.

jvalin__s Mon, 05/03/2010 - 04:12
User Badges:

Halijenn,


what should be the gateway if I add the routes statically?


Regards,

Jennifer Halim Mon, 05/03/2010 - 04:40
User Badges:
  • Cisco Employee,

Re-check the "Use default gateway on remote network" option, and connect through the L2TP over IPSec. From DOS prompt, check the output of "route print". The current default gateway after the L2TP over IPSec client is connected would be the default gateway of what you need to configure.


Once you uncheck the "Use default gateway on remote network" option, it would use the PC normal default gateway to connect to the Internet, hence, the requirement to add specific route for the tunnelled (VPN) traffic towards your corporate intranet subnets.

jvalin__s Mon, 05/03/2010 - 04:44
User Badges:

I am not getting the same ip address and default gatway everytime.


I hav configured 192.168.206.0/24 for l2tp users

while i connect i get 192.168.206.14 and gateway also same

next time if I connect its different.


Regards,

Jennifer Halim Mon, 05/03/2010 - 04:47
User Badges:
  • Cisco Employee,

Yes, unfortunately that is the downside of using L2TP over IPSec as split tunneling is not supported on the head end like the native IPSec VPN.

jvalin__s Mon, 05/03/2010 - 04:50
User Badges:

so what shall I do in that case then

any how I will have to give ip address to the l2tp guys from the firewall only.


The solution which you gave to add routes of the coporate network using the gateway I am getting

is not valid as I am gettting different gateways everytime.


Regards,

Jennifer Halim Mon, 05/03/2010 - 04:58
User Badges:
  • Cisco Employee,

What are the subnet behind your corporate networks? If the ip pool subnet is in the same major subnet, it will automatically create a correct major subnet route, therefore you can access the intranet network based on that. So if your intranet subnet happens to be in 10.0.0.0 subnet, assigned ip pool of 10.x.x.x unique subnet too. Otherwise, unfortunately that is the only solution with L2TP over IPSec.

jvalin__s Mon, 05/03/2010 - 05:02
User Badges:

The corporate network behind the firewall is


192.168.200.0/24

192.168.201.0/24

192.168.202.0/24

192.168.203.0/24

192.168.205.0/24 - cisco vpn client users

and for l2tp guys pool is 192.168.206.0/24

Jennifer Halim Mon, 05/03/2010 - 05:10
User Badges:
  • Cisco Employee,

1 possible workaround is to change the ip pool subnet mask from 255.255.255.0 to 255.255.0.0.

Change the mask for 192.168.205.0/24 to 192.168.205.0/16.

Jennifer Halim Mon, 05/03/2010 - 05:22
User Badges:
  • Cisco Employee,

No, what i mean is change the ip pool mask from /24 to /16 on the ASA as follows:


ip local pool 192.168.205.1-192.168.205.254 mask 255.255.0.0

jvalin__s Mon, 05/03/2010 - 05:24
User Badges:

yes I got your point but what difference will it make??


Regards,

jvalin__s Mon, 05/03/2010 - 05:48
User Badges:

halijenn,


once i configure the nat exempt in the firewall it will automatically convert it to 192.168.0.0/16

actually I want this solution for mac basically but I thought if I can solve first on windows it will be easy for mac.


I dont think it is possible for windows too.


After connecting the l2tp vpn I can see 2 default routes one pointing to the vpn gateway and one pointing to original machine gateway with increased metric


Regards

Jvalin

Jennifer Halim Mon, 05/03/2010 - 05:54
User Badges:
  • Cisco Employee,

If you change the mask to /16, it would appear as 192.168.0.0 once you are connected, and that route should point towards the vpn gateway. If you uncheck the "Use default gateway on remote network" option, then the default gateway would be your original machine gateway.

So because 192.168.0.0/16 points towards the vpn gateway, when you try to access your corporate internal networks which is in the 192.168.x.x/24 subnet range, it will be routed towards the vpn gateway. For everything else, it would route towards the original machine gateway.

With this solution, you don't even have to add any routes on the client pc.

Actions

This Discussion