ASA5505 L2TP/IPSEC vpn establish but internet not access on remote pc

Unanswered Question
Aug 6th, 2011
User Badges:

Hi,

      I am new for Cisco ASA.

      I have configure L2TP/IPSEC (Windows vpn). I am using window vpn client. VPN is establish successfully then i took remote of pc 10.0.0.5 and now i m trying to access internet but i didnt get access it.

      Please suggest me what should i configure for it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Praveena Shanubhogue Mon, 08/08/2011 - 04:46
User Badges:
  • Bronze, 100 points or more

Workaround 1:

   >>  While creating L2TP connection profile on the PC, make sure the below setting is configured:

            L2TP connection Properties >> Networking > Internet Protocol (TCP/IP) > Advanced > General:

              Uncheck “Use default gateway on remote network”

  >> With this a route (for the class to which the vpn pool subnet belongs) gets downloaded to the client. You may configure Split-Tunneling too with this setting, although it might take about 20 seconds for them to get downloaded in to the PC’s routing table)


Workaround 2:

If you prefer having all the L2TP users come all the way to ASA (full tunneling), make sure you configure U-Turning on the outside interface:

Commands required:

Same-security-traffic permit intra-interface


NAT Commands:

nat (outside) 1

( you do not have to put the “outside” keyword at the end)

! i would expect this to be already configured

! global ( outside) 1 interface/public_ip


Regards,

Praveen

Nikhil Patil Mon, 08/08/2011 - 23:07
User Badges:

Hi Praveena,


     1)  As per your suggestion i have uncheck "use default gateway on remote network" check box.

          but still my problem is not solved.


     2)  " Same-security-traffic permit intra-interface" command is already configured.



   See my vpn connection is establish i also access remote pc but i can not access internet on remote pc...

   When i click on L2TP connection properties i get the default gateway 10.0.0.1 and dns is 10.0.0.4 but i am not able to access internet...

Praveena Shanubhogue Mon, 08/22/2011 - 22:57
User Badges:
  • Bronze, 100 points or more

Hi Nikhil,


Sorry for the delay, if you are still looking at this, the only thing that you seem to have missed from my last response is:

NAT config on outside interface


nat (outside) 1

( you do not have to put the “outside” keyword at the end)

! i would expect the following to be already configured

! global ( outside) 1 interface/public_ip


Regards,

Praveen

Nikhil Patil Mon, 08/22/2011 - 23:25
User Badges:

Thanks for reply Praveena,


                                I have done some changes in my configuration... but problem is still pending....


Please check latest configuration and suggest me changes....



Regards,


Nikhil



ASA Version 8.2(5)


!


hostname asa


domain-name digital.net


names


name 121.241.66.217 Router-Outside description router ip


name 10.0.0.4 dc1-int description dc1-int


dns-guard


!


interface Ethernet0/0


switchport access vlan 337


switchport trunk allowed vlan 337


speed 100


duplex full


interface Ethernet0/7


switchport access vlan 20


!


interface Vlan1


nameif inside


security-level 100


ip address 10.0.0.1 255.255.255.0


!


interface Vlan337


nameif outside


security-level 0


ip address Router-Outside 255.255.255.252


!


boot system disk0:/asa825-k8.bin


ftp mode passive


clock timezone IST 5 30


dns domain-lookup inside


dns server-group DefaultDNS


name-server dc1-int


name-server 1.2.3.4


name-server 101.101.101.5


name-server 101.101.101.6


domain-name spheregen.net


object-group protocol TCPUDP


protocol-object udp


protocol-object tcp


port-object eq 587


object-group service TFSPorts tcp


port-object eq 8080


port-object eq www


object-group service RDP tcp


port-object eq 3389


access-list inside_access_out extended permit gre any any


access-list inside_access_out extended permit tcp any any eq pptp


access-list outside_access_in extended permit gre any any


access-list outside_access_in extended permit tcp any any eq pptp


access-list outside_access_in extended permit ip 10.0.0.0 255.255.255.0 any


access-list outside_access_out extended permit gre any any


access-list outside_access_out extended permit tcp any any eq pptp


access-list outside_access_out extended permit ip interface outside any


access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 any


access-list inside_access_in extended permit tcp any any eq pptp


access-list inside_access_in extended permit gre any any


access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.192


access-list Split_tunnel_list remark The corporate network behind asa


access-list Split_tunnel_list standard permit 192.168.50.0 255.255.255.192


pager lines 24


logging enable


logging asdm warnings


mtu inside 1500


mtu DMZ 1500


mtu outside 1500


ip local pool vpn-pool 192.168.50.1-192.168.50.60 mask 255.255.255.0


ip verify reverse-path interface inside


ip verify reverse-path interface outside


no failover


icmp unreachable rate-limit 1 burst-size 1


asdm image disk0:/asdm-643.bin


asdm history enable


arp timeout 14400


nat-control


global (outside) 1 interface


nat (inside) 0 access-list inside_nat0_outbound


nat (inside) 1 10.0.0.0 255.255.255.0


access-group inside_access_in in interface inside


access-group inside_access_out out interface inside


access-group outside_access_in in interface outside


access-group outside_access_out out interface outside


route outside 0.0.0.0 0.0.0.0 1.2.6.2 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00


timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


timeout tcp-proxy-reassembly 0:01:00


timeout floating-conn 0:00:00


dynamic-access-policy-record DfltAccessPolicy


aaa-server TEST_AD protocol radius


aaa-server TEST_AD (inside) host Sg-dc1-int


key *****


radius-common-pw *****


http server enable


http 10.0.0.0 255.255.255.0 inside


http 114.143.102.2 255.255.255.255 outside


http Router-Outside 255.255.255.255 outside


http 121.241.73.162 255.255.255.255 outside


http 61.12.123.178 255.255.255.255 outside


http 76.184.65.194 255.255.255.255 outside


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart


sysopt connection preserve-vpn-flows


sysopt noproxyarp inside


sysopt noproxyarp outside


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac


crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac


crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac


crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac


crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac


crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac


crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac


crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac


crypto ipsec transform-set trans esp-3des esp-sha-hmac


crypto ipsec transform-set trans mode transport


crypto ipsec security-association lifetime seconds 28800


crypto ipsec security-association lifetime kilobytes 4608000


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5


crypto dynamic-map dyno 10 set transform-set trans


crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP


crypto map vpn 20 ipsec-isakmp dynamic dyno


crypto map vpn interface outside


crypto isakmp enable outside


crypto isakmp policy 10


authentication pre-share


encryption 3des


hash sha


group 2


lifetime 86400


crypto isakmp nat-traversal 1500


telnet timeout 5


ssh timeout 5


ssh version 2


console timeout 0


l2tp tunnel hello 100


dhcpd dns Sg-dc1-int 10.0.0.2 interface inside


!


dhcpd dns Sg-dc1-int 101.101.101.5 interface outside


!


dhcprelay server 10.0.0.2 inside


dhcprelay server dc1-int inside




threat-detection basic-threat


threat-detection statistics host


threat-detection statistics access-list


threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200


webvpn


enable outside


group-policy DfltGrpPolicy attributes


dns-server value 10.0.0.4


vpn-idle-timeout none


vpn-tunnel-protocol l2tp-ipsec svc webvpn


default-domain value spheregen.net


group-policy sales_policy internal


group-policy sales_policy attributes


wins-server none


vpn-tunnel-protocol l2tp-ipsec


split-tunnel-policy tunnelall


default-domain value spheregen.net


username nikhil password WKR4E1qTrDvwWKXqDo/bcQ== nt-encrypted privilege 15


username aftab.ansari password VY477ELaRYMPkrf9pes1IA== nt-encrypted


tunnel-group DefaultRAGroup general-attributes


address-pool vpn-pool


authentication-server-group TEST_AD


default-group-policy sales_policy


tunnel-group DefaultRAGroup ipsec-attributes


pre-shared-key *****


isakmp keepalive threshold 3600 retry 2


tunnel-group DefaultRAGroup ppp-attributes


authentication ms-chap-v2


tunnel-group DefaultWEBVPNGroup general-attributes


authentication-server-group TEST_AD


!


class-map Unblock


match access-list inside_mpc_1


class-map type inspect http match-all BlockDomainsClass


match request header host regex class DomainBlockList


class-map inspection_default


match default-inspection-traffic


class-map type inspect http match-all AppHeaderClass


match response header regex contenttype regex applicationheader


class-map httptraffic


match access-list inside_mpc


!


!


policy-map type inspect dns preset_dns_map


parameters


  message-length maximum client auto


  message-length maximum 512


policy-map type inspect http http_inspection_policy


parameters


  protocol-violation action drop-connection


match request method connect


  drop-connection log


class AppHeaderClass


  drop-connection log


class BlockDomainsClass


  reset log


policy-map global_policy


class inspection_default


  inspect dns preset_dns_map


  inspect ftp


  inspect h323 h225


  inspect h323 ras


  inspect rsh


  inspect rtsp


  inspect esmtp


  inspect sqlnet


  inspect skinny 


  inspect sunrpc


  inspect xdmcp


  inspect sip 


  inspect netbios


  inspect tftp


  inspect ip-options


  inspect pptp


policy-map inside-policy


class Unblock


  inspect http


class httptraffic


  inspect http http_inspection_policy


!


service-policy global_policy global


service-policy inside-policy interface inside


Cryptochecksum:27a910363710815fd889c9cc72a3d173


: end

Actions

This Discussion

Related Content