cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1854
Views
0
Helpful
19
Replies

LT2P vpn configuration on cisco asa with windows/mac machine internet problem

jvalin__s
Level 1
Level 1

Dear All,

I have successfully configured L2TP vpn configuration on asa 5510 with 8.0(4) version of IOS.

When I connect using this vpn my internet doesnt work. Even if I give proxy or dns or I remove proxy

It doesnt work. only the resources behind the firewall I can access. I am using extended access-list

I tried with standard access-list also.

Kindly please suggest as what mistake could be.

Thanks

Jv

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Split tunnel for L2TP over IPSec tunnel is not configured on the head end (ASA), it needs to be configured on the client itself as per the following article from Microsoft:

http://technet.microsoft.com/en-us/library/bb878117.aspx

View solution in original post

19 Replies 19

Jennifer Halim
Cisco Employee
Cisco Employee

Split tunnel for L2TP over IPSec tunnel is not configured on the head end (ASA), it needs to be configured on the client itself as per the following article from Microsoft:

http://technet.microsoft.com/en-us/library/bb878117.aspx

Hi,

The internet problem on windows is solved but what about macintosh machine??

Hi Halijenn,

Thanks for link, but if I uncheck the "send all traffice to vpn" then I cant access the resources behind the firewall.

Regards,

Halijenn,

After removing the default gateway from windows machine the internet started working but

I cant access the resources behind firewall. meaning I cant ping or access the servers behind firewall.

Regards

Jvalin

Did you explicitly configure the route statement for the corporate internal subnets as per the Microsoft URL provided? You would need to explicitly add route on the client for the corporate internal subnets, as well as unchecking the "Use default gateway on remote network" option.

Halijenn,

what should be the gateway if I add the routes statically?

Regards,

Re-check the "Use default gateway on remote network" option, and connect through the L2TP over IPSec. From DOS prompt, check the output of "route print". The current default gateway after the L2TP over IPSec client is connected would be the default gateway of what you need to configure.

Once you uncheck the "Use default gateway on remote network" option, it would use the PC normal default gateway to connect to the Internet, hence, the requirement to add specific route for the tunnelled (VPN) traffic towards your corporate intranet subnets.

I am not getting the same ip address and default gatway everytime.

I hav configured 192.168.206.0/24 for l2tp users

while i connect i get 192.168.206.14 and gateway also same

next time if I connect its different.

Regards,

Yes, unfortunately that is the downside of using L2TP over IPSec as split tunneling is not supported on the head end like the native IPSec VPN.

so what shall I do in that case then

any how I will have to give ip address to the l2tp guys from the firewall only.

The solution which you gave to add routes of the coporate network using the gateway I am getting

is not valid as I am gettting different gateways everytime.

Regards,

What are the subnet behind your corporate networks? If the ip pool subnet is in the same major subnet, it will automatically create a correct major subnet route, therefore you can access the intranet network based on that. So if your intranet subnet happens to be in 10.0.0.0 subnet, assigned ip pool of 10.x.x.x unique subnet too. Otherwise, unfortunately that is the only solution with L2TP over IPSec.

The corporate network behind the firewall is

192.168.200.0/24

192.168.201.0/24

192.168.202.0/24

192.168.203.0/24

192.168.205.0/24 - cisco vpn client users

and for l2tp guys pool is 192.168.206.0/24

1 possible workaround is to change the ip pool subnet mask from 255.255.255.0 to 255.255.0.0.

Change the mask for 192.168.205.0/24 to 192.168.205.0/16.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: