ASA5505 L2TP/IPSEC vpn establish but internet not access on remote pc

Unanswered Question
Aug 6th, 2011

Hi,

      I am new for Cisco ASA.

      I have configure L2TP/IPSEC (Windows vpn). I am using window vpn client. VPN is establish successfully then i took remote of pc 10.0.0.5 and now i m trying to access internet but i didnt get access it.

      Please suggest me what should i configure for it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
pshanubh Mon, 08/08/2011 - 04:46

Workaround 1:

   >>  While creating L2TP connection profile on the PC, make sure the below setting is configured:

            L2TP connection Properties >> Networking > Internet Protocol (TCP/IP) > Advanced > General:

              Uncheck “Use default gateway on remote network”

  >> With this a route (for the class to which the vpn pool subnet belongs) gets downloaded to the client. You may configure Split-Tunneling too with this setting, although it might take about 20 seconds for them to get downloaded in to the PC’s routing table)

Workaround 2:

If you prefer having all the L2TP users come all the way to ASA (full tunneling), make sure you configure U-Turning on the outside interface:

Commands required:

Same-security-traffic permit intra-interface

NAT Commands:

nat (outside) 1

( you do not have to put the “outside” keyword at the end)

! i would expect this to be already configured

! global ( outside) 1 interface/public_ip

Regards,

Praveen

nnikhil.patil Mon, 08/08/2011 - 23:07

Hi Praveena,

     1)  As per your suggestion i have uncheck "use default gateway on remote network" check box.

          but still my problem is not solved.

     2)  " Same-security-traffic permit intra-interface" command is already configured.

   See my vpn connection is establish i also access remote pc but i can not access internet on remote pc...

   When i click on L2TP connection properties i get the default gateway 10.0.0.1 and dns is 10.0.0.4 but i am not able to access internet...

pshanubh Mon, 08/22/2011 - 22:57

Hi Nikhil,

Sorry for the delay, if you are still looking at this, the only thing that you seem to have missed from my last response is:

NAT config on outside interface

nat (outside) 1

( you do not have to put the “outside” keyword at the end)

! i would expect the following to be already configured

! global ( outside) 1 interface/public_ip

Regards,

Praveen

nnikhil.patil Mon, 08/22/2011 - 23:25

Thanks for reply Praveena,

                                I have done some changes in my configuration... but problem is still pending....

Please check latest configuration and suggest me changes....

Regards,

Nikhil

ASA Version 8.2(5)

!

hostname asa

domain-name digital.net

names

name 121.241.66.217 Router-Outside description router ip

name 10.0.0.4 dc1-int description dc1-int

dns-guard

!

interface Ethernet0/0

switchport access vlan 337

switchport trunk allowed vlan 337

speed 100

duplex full

interface Ethernet0/7

switchport access vlan 20

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan337

nameif outside

security-level 0

ip address Router-Outside 255.255.255.252

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone IST 5 30

dns domain-lookup inside

dns server-group DefaultDNS

name-server dc1-int

name-server 1.2.3.4

name-server 101.101.101.5

name-server 101.101.101.6

domain-name spheregen.net

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

port-object eq 587

object-group service TFSPorts tcp

port-object eq 8080

port-object eq www

object-group service RDP tcp

port-object eq 3389

access-list inside_access_out extended permit gre any any

access-list inside_access_out extended permit tcp any any eq pptp

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit tcp any any eq pptp

access-list outside_access_in extended permit ip 10.0.0.0 255.255.255.0 any

access-list outside_access_out extended permit gre any any

access-list outside_access_out extended permit tcp any any eq pptp

access-list outside_access_out extended permit ip interface outside any

access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 any

access-list inside_access_in extended permit tcp any any eq pptp

access-list inside_access_in extended permit gre any any

access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.192

access-list Split_tunnel_list remark The corporate network behind asa

access-list Split_tunnel_list standard permit 192.168.50.0 255.255.255.192

pager lines 24

logging enable

logging asdm warnings

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

ip local pool vpn-pool 192.168.50.1-192.168.50.60 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-643.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.255.255.0

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

route outside 0.0.0.0 0.0.0.0 1.2.6.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TEST_AD protocol radius

aaa-server TEST_AD (inside) host Sg-dc1-int

key *****

radius-common-pw *****

http server enable

http 10.0.0.0 255.255.255.0 inside

http 114.143.102.2 255.255.255.255 outside

http Router-Outside 255.255.255.255 outside

http 121.241.73.162 255.255.255.255 outside

http 61.12.123.178 255.255.255.255 outside

http 76.184.65.194 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection preserve-vpn-flows

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set trans esp-3des esp-sha-hmac

crypto ipsec transform-set trans mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dyno 10 set transform-set trans

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map vpn 20 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 1500

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

l2tp tunnel hello 100

dhcpd dns Sg-dc1-int 10.0.0.2 interface inside

!

dhcpd dns Sg-dc1-int 101.101.101.5 interface outside

!

dhcprelay server 10.0.0.2 inside

dhcprelay server dc1-int inside

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable outside

group-policy DfltGrpPolicy attributes

dns-server value 10.0.0.4

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec svc webvpn

default-domain value spheregen.net

group-policy sales_policy internal

group-policy sales_policy attributes

wins-server none

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelall

default-domain value spheregen.net

username nikhil password WKR4E1qTrDvwWKXqDo/bcQ== nt-encrypted privilege 15

username aftab.ansari password VY477ELaRYMPkrf9pes1IA== nt-encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool vpn-pool

authentication-server-group TEST_AD

default-group-policy sales_policy

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 3600 retry 2

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group TEST_AD

!

class-map Unblock

match access-list inside_mpc_1

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-all AppHeaderClass

match response header regex contenttype regex applicationheader

class-map httptraffic

match access-list inside_mpc

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map type inspect http http_inspection_policy

parameters

  protocol-violation action drop-connection

match request method connect

  drop-connection log

class AppHeaderClass

  drop-connection log

class BlockDomainsClass

  reset log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

policy-map inside-policy

class Unblock

  inspect http

class httptraffic

  inspect http http_inspection_policy

!

service-policy global_policy global

service-policy inside-policy interface inside

Cryptochecksum:27a910363710815fd889c9cc72a3d173

: end

Actions

Login or Register to take actions

This Discussion

Posted August 6, 2011 at 4:26 AM
Stats:
Replies:4 Avg. Rating:
Views:1609 Votes:0
Shares:0
Tags: asa_5500, vpn
+
Categories: ASA
+

Related Content

Discussions Leaderboard