Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA L2TP/IPsec VPN no internet access

Hi

 

I have problem which i've been trying to fix for a couple of day now. I can't get clients who connnect to ASA to have internet working (i can ping www.google.com) but browsing internet with e.g. Firefox doesn't work. I want to do full tunnel not split tunnel. 192.168.100.2 is a internal DNS server on Windows 2012.

 

Cilents are using build-in Windows 7/8 VPN client.

 

Here is my config:

 

: Saved
:
ASA Version 9.1(4)
!
hostname asa5505
enable password XXXXXXXXXXXXX encrypted
names
ip local pool L2TP-Pool 192.168.101.1-192.168.101.100 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address X.X.X.X 255.255.0.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
same-security-traffic permit intra-interface
object network XXXXX_192.168.100.22
 host 192.168.100.22
object network L2TP-Pool_192.168.101.0
 subnet 192.168.101.0 255.255.255.0
object network obj_any
 subnet 0.0.0.0 0.0.0.0
access-list OUTSIDE_TO_INSIDE extended permit tcp any object XXXXX_192.168.100.22 eq 5005
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,outside) source dynamic L2TP-Pool_192.168.101.0 interface
nat (outside,inside) source static L2TP-Pool_192.168.101.0 L2TP-Pool_192.168.101.0

!
object network XXXXX_192.168.100.22
 nat (inside,outside) static interface service tcp 5005 5005
object network obj_any
 nat (inside,outside) dynamic interface
access-group OUTSIDE_TO_INSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
crypto map L2TP-VPN-MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 192.168.101.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy L2TP-Policy internal
group-policy L2TP-Policy attributes
 dns-server value 192.168.100.2
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelall
username test password XXXXXXXXXXXXXXXXXXXX nt-encrypted
username test attributes
 service-type remote-access
tunnel-group DefaultRAGroup general-attributes
 address-pool L2TP-Pool
 default-group-policy L2TP-Policy
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:60f729af42a0e4b547a960fc2300ece7
: end

 

292
Views
0
Helpful
0
Replies
CreatePlease to create content