cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2813
Views
0
Helpful
14
Replies

L2TP - problem with routing VPN

Lucy Phere
Level 1
Level 1

Hello,

Im have problem with routing after connect VPN. (ASA 5506)

Im create VPN base on this manual: http://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/200340-Configure-L2TP-Over-IPsec-Between-Window.html

Attachment contains my network map.
Im can connect to ASA from PC2 (wan). After connect im can access (ping) only to ASA device (192.168.5.1). But im cant access to any other device in ASA home office.
What im must change to can connect to PC 1 (RDP or just ping).

My VPN config:

crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport

crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev1 enable outside

ip local pool Address-pool 10.0.0.1-10.0.0..254 mask 255.0.0.0

group-policy L2TP-VPN internal
group-policy L2TP-VPN attributes
vpn-tunnel-protocol l2tp-ipsec
username test password test mschap

tunnel-group DefaultRAGroup general-attributes
address-pool Address-pool
default-group-policy L2TP-VPN

tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key password

tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2

object network L2TP-Pool
subnet 10.0.0.0 255.0.0.0

14 Replies 14

JP Miranda Z
Cisco Employee
Cisco Employee

Hi it@coosmedica.pl,

Considering the config guide you shared seems like you are missing the NAT, if you don't have any nat configured disregard this recommendation, but if you have other NAT please add the following line:

nat(inside,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup

Hope this info helps!!

Rate if helps you!! 

-JP-

In ASA im use only one port (outside). So im don't need NAT? 

When im try send this command im have error:

Result of the command: "nat(inside,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup"

nat(inside,outside) source static any any destination static L2TP-Pool L2TP-Pool ^ no-proxy-arp route-lookup

ERROR: % Invalid input detected at '^' marker.

Can you share the following config:

sh run nat

sh ip (you can remove the ip's i just need the name of the interfaces)

Hope this info helps!!

Rate if helps you!! 

-JP-

Interface "inside" is not used.

Result of the command: "sh run nat"

The command has been sent to the device


Result of the command: "sh ip"

System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 192.168.5.1 255.255.0.0 manual
GigabitEthernet1/2 inside 192.170.1.1 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 192.168.5.1 255.255.0.0 manual
GigabitEthernet1/2 inside 192.170.1.1 255.255.255.0 manual

Which interface of the ASA is facing PC1?

Considering the diagram i will say PC1 is on your outside (wan) as well as the PC2?

if that is correct try this:

object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0

nat
(outside,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup

 same-security-traffic permit intra-interface


Hope this info helps!!

Rate if helps you!! 

-JP-

Both (ASA and PC1) are connect to this same router and have this same network (192.168.0.0 / 255.255.0.0).

Only PC2 is on other network.

ASA <-> router 1 <-> WAN <-> router2 <-> PC2

PC1 <-> router 1 <-> WAN

I will recommend you to use a ssh/telnet client to add commands (not through the command line of ASDM), so this is what you need to make this work:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

Hope this info helps!!

Rate if helps you!! 

-JP-

Thx, im run ssh connect, configure NAT but still don't work. 

Im given up this config. Im create second interface, check box "Enable traffic between two or more interfaces which are configured with same security levels" and its almost works. (One interfaces if connect to WAN second with diffrent mask to LAN).

Now im can connect from WAN to VPN and im see other network device. But im can't use the internet. 

When im unbox "use default gateway on remote network" im have internet but loose connect with device behinde VPN.

Lucy,

Im sure i can help you getting this up and running, if you would like assistance with that please share the full sanitized config of the ASA.

Hope this info helps!!

Rate if helps you!! 

-JP-

Im deleted my last respond. 

Im pick splitt tunneling and im have now internet with VPN.

Now my last problem: Im have now 2 interfaces. When im connect VPN im can ping only my VPN gateway (192.168.1.175 on interface inside). When im try ping "inside" interface im have: time out

When in try ping "outside" interface im have: TTL expired in transit

My actual config:

ASA Version 9.6(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool Address-pool 10.0.0.1-10.0.0.254 mask 255.0.0.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.170.1.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network L2TP-Pool
subnet 10.0.0.0 255.0.0.0
access-list global_access extended permit ip any any
access-list SPLIT standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,inside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 1 set ikev1 transform-set TRANS-ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
quit
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
group-policy DfltGrpPolicy attributes
split-tunnel-policy excludespecified
split-tunnel-network-list value SPLIT
intercept-dhcp 255.255.255.255 enable
group-policy L2TP-VPN internal
group-policy L2TP-VPN attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
intercept-dhcp 255.255.255.255 enable
dynamic-access-policy-record DfltAccessPolicy
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool Address-pool
default-group-policy L2TP-VPN
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy L2TP-VPN
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:d421c40498e03e02fab11ce2f13949a2
: end

Im try solve it. But still im have this same problem.

VPN work ok, but ASA block traffic inside LAN.

Even before connect VPN im can't ping ASA from my local network.

In attachment my problem (all device in LAN).

From computer 1 Im can ping:

  • ASA - 192.168.5.1
  • computer2  - 192.170.1.3

But im can't ping ASA 192.170.1.2

Both network work correct (im can ping between network) but ASA don't accept ping from 192.168.0.0 to 192.170.1.0 network... 

PS. Im try this one, but have error, don't know why.

Result of the command: "object network obj-192.168.0.0"

The command has been sent to the device


Result of the command: "subnet 192.168.0.0 255.255.0.0"

The command has been sent to the device


Result of the command: "nat(outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup"

nat(outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination s ^tatic L2TP-Pool L2TP-Pool no-proxy-arp route-lookup

ERROR: % Invalid input detected at '^' marker.


Result of the command: "same-security-traffic permit intra-interface"

The command has been sent to the device

Which version are you running?

Hope this info helps!!

Rate if helps you!! 

-JP-

U asking about ASA version?

ASA5506 - 9.6(1)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: