ASA5505 L2TP/IPSEC vpn establish but internet not access on remote pc

Unanswered Question
Aug 6th, 2011


      I am new for Cisco ASA.

      I have configure L2TP/IPSEC (Windows vpn). I am using window vpn client. VPN is establish successfully then i took remote of pc and now i m trying to access internet but i didnt get access it.

      Please suggest me what should i configure for it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Praveena Shanubhogue Mon, 08/08/2011 - 04:46

Workaround 1:

   >>  While creating L2TP connection profile on the PC, make sure the below setting is configured:

            L2TP connection Properties >> Networking > Internet Protocol (TCP/IP) > Advanced > General:

              Uncheck “Use default gateway on remote network”

  >> With this a route (for the class to which the vpn pool subnet belongs) gets downloaded to the client. You may configure Split-Tunneling too with this setting, although it might take about 20 seconds for them to get downloaded in to the PC’s routing table)

Workaround 2:

If you prefer having all the L2TP users come all the way to ASA (full tunneling), make sure you configure U-Turning on the outside interface:

Commands required:

Same-security-traffic permit intra-interface

NAT Commands:

nat (outside) 1

( you do not have to put the “outside” keyword at the end)

! i would expect this to be already configured

! global ( outside) 1 interface/public_ip



Nikhil Patil Mon, 08/08/2011 - 23:07

Hi Praveena,

     1)  As per your suggestion i have uncheck "use default gateway on remote network" check box.

          but still my problem is not solved.

     2)  " Same-security-traffic permit intra-interface" command is already configured.

   See my vpn connection is establish i also access remote pc but i can not access internet on remote pc...

   When i click on L2TP connection properties i get the default gateway and dns is but i am not able to access internet...

Praveena Shanubhogue Mon, 08/22/2011 - 22:57

Hi Nikhil,

Sorry for the delay, if you are still looking at this, the only thing that you seem to have missed from my last response is:

NAT config on outside interface

nat (outside) 1

( you do not have to put the “outside” keyword at the end)

! i would expect the following to be already configured

! global ( outside) 1 interface/public_ip



Nikhil Patil Mon, 08/22/2011 - 23:25

Thanks for reply Praveena,

                                I have done some changes in my configuration... but problem is still pending....

Please check latest configuration and suggest me changes....



ASA Version 8.2(5)


hostname asa



name Router-Outside description router ip

name dc1-int description dc1-int



interface Ethernet0/0

switchport access vlan 337

switchport trunk allowed vlan 337

speed 100

duplex full

interface Ethernet0/7

switchport access vlan 20


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan337

nameif outside

security-level 0

ip address Router-Outside


boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone IST 5 30

dns domain-lookup inside

dns server-group DefaultDNS

name-server dc1-int





object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

port-object eq 587

object-group service TFSPorts tcp

port-object eq 8080

port-object eq www

object-group service RDP tcp

port-object eq 3389

access-list inside_access_out extended permit gre any any

access-list inside_access_out extended permit tcp any any eq pptp

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit tcp any any eq pptp

access-list outside_access_in extended permit ip any

access-list outside_access_out extended permit gre any any

access-list outside_access_out extended permit tcp any any eq pptp

access-list outside_access_out extended permit ip interface outside any

access-list inside_access_in extended permit ip any

access-list inside_access_in extended permit tcp any any eq pptp

access-list inside_access_in extended permit gre any any

access-list inside_nat0_outbound extended permit ip any

access-list Split_tunnel_list remark The corporate network behind asa

access-list Split_tunnel_list standard permit

pager lines 24

logging enable

logging asdm warnings

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

ip local pool vpn-pool mask

ip verify reverse-path interface inside

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-643.bin

asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TEST_AD protocol radius

aaa-server TEST_AD (inside) host Sg-dc1-int

key *****

radius-common-pw *****

http server enable

http inside

http outside

http Router-Outside outside

http outside

http outside

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection preserve-vpn-flows

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set trans esp-3des esp-sha-hmac

crypto ipsec transform-set trans mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dyno 10 set transform-set trans

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map vpn 20 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 1500

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

l2tp tunnel hello 100

dhcpd dns Sg-dc1-int interface inside


dhcpd dns Sg-dc1-int interface outside


dhcprelay server inside

dhcprelay server dc1-int inside

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200


enable outside

group-policy DfltGrpPolicy attributes

dns-server value

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec svc webvpn

default-domain value

group-policy sales_policy internal

group-policy sales_policy attributes

wins-server none

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelall

default-domain value

username nikhil password WKR4E1qTrDvwWKXqDo/bcQ== nt-encrypted privilege 15

username aftab.ansari password VY477ELaRYMPkrf9pes1IA== nt-encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool vpn-pool

authentication-server-group TEST_AD

default-group-policy sales_policy

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 3600 retry 2

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group TEST_AD


class-map Unblock

match access-list inside_mpc_1

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-all AppHeaderClass

match response header regex contenttype regex applicationheader

class-map httptraffic

match access-list inside_mpc



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map type inspect http http_inspection_policy


  protocol-violation action drop-connection

match request method connect

  drop-connection log

class AppHeaderClass

  drop-connection log

class BlockDomainsClass

  reset log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

policy-map inside-policy

class Unblock

  inspect http

class httptraffic

  inspect http http_inspection_policy


service-policy global_policy global

service-policy inside-policy interface inside


: end


This Discussion

Related Content