Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

LT2P vpn configuration on cisco asa with windows/mac machine internet problem

Dear All,

I have successfully configured L2TP vpn configuration on asa 5510 with 8.0(4) version of IOS.

When I connect using this vpn my internet doesnt work. Even if I give proxy or dns or I remove proxy

It doesnt work. only the resources behind the firewall I can access. I am using extended access-list

I tried with standard access-list also.

Kindly please suggest as what mistake could be.

Thanks

Jv

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: LT2P vpn configuration on cisco asa with windows/mac machine

Split tunnel for L2TP over IPSec tunnel is not configured on the head end (ASA), it needs to be configured on the client itself as per the following article from Microsoft:

http://technet.microsoft.com/en-us/library/bb878117.aspx

19 REPLIES
Cisco Employee

Re: LT2P vpn configuration on cisco asa with windows/mac machine

Split tunnel for L2TP over IPSec tunnel is not configured on the head end (ASA), it needs to be configured on the client itself as per the following article from Microsoft:

http://technet.microsoft.com/en-us/library/bb878117.aspx

New Member

Re: LT2P vpn configuration on cisco asa with windows/mac machine

Hi,

The internet problem on windows is solved but what about macintosh machine??

Cisco Employee

Re: LT2P vpn configuration on cisco asa with windows/mac machine

New Member

Re: LT2P vpn configuration on cisco asa with windows/mac machine

Hi Halijenn,

Thanks for link, but if I uncheck the "send all traffice to vpn" then I cant access the resources behind the firewall.

Regards,

New Member

Re: LT2P vpn configuration on cisco asa with windows/mac machine

Halijenn,

After removing the default gateway from windows machine the internet started working but

I cant access the resources behind firewall. meaning I cant ping or access the servers behind firewall.

Regards

Jvalin

Cisco Employee

Re: LT2P vpn configuration on cisco asa with windows/mac machine

Did you explicitly configure the route statement for the corporate internal subnets as per the Microsoft URL provided? You would need to explicitly add route on the client for the corporate internal subnets, as well as unchecking the "Use default gateway on remote network" option.

New Member

Re: LT2P vpn configuration on cisco asa with windows/mac machine

Halijenn,

what should be the gateway if I add the routes statically?

Regards,

Cisco Employee

Re: LT2P vpn configuration on cisco asa with windows/mac machine

Re-check the "Use default gateway on remote network" option, and connect through the L2TP over IPSec. From DOS prompt, check the output of "route print". The current default gateway after the L2TP over IPSec client is connected would be the default gateway of what you need to configure.

Once you uncheck the "Use default gateway on remote network" option, it would use the PC normal default gateway to connect to the Internet, hence, the requirement to add specific route for the tunnelled (VPN) traffic towards your corporate intranet subnets.

New Member

Re: LT2P vpn configuration on cisco asa with windows/mac machine

I am not getting the same ip address and default gatway everytime.

I hav configured 192.168.206.0/24 for l2tp users

while i connect i get 192.168.206.14 and gateway also same

next time if I connect its different.

Regards,

Cisco Employee

Re: LT2P vpn configuration on cisco asa with windows/mac machine

Yes, unfortunately that is the downside of using L2TP over IPSec as split tunneling is not supported on the head end like the native IPSec VPN.

New Member

Re: LT2P vpn configuration on cisco asa with windows/mac machine

so what shall I do in that case then

any how I will have to give ip address to the l2tp guys from the firewall only.

The solution which you gave to add routes of the coporate network using the gateway I am getting

is not valid as I am gettting different gateways everytime.

Regards,

Cisco Employee

Re: LT2P vpn configuration on cisco asa with windows/mac machine

What are the subnet behind your corporate networks? If the ip pool subnet is in the same major subnet, it will automatically create a correct major subnet route, therefore you can access the intranet network based on that. So if your intranet subnet happens to be in 10.0.0.0 subnet, assigned ip pool of 10.x.x.x unique subnet too. Otherwise, unfortunately that is the only solution with L2TP over IPSec.

New Member

Re: LT2P vpn configuration on cisco asa with windows/mac machine

The corporate network behind the firewall is

192.168.200.0/24

192.168.201.0/24

192.168.202.0/24

192.168.203.0/24

192.168.205.0/24 - cisco vpn client users

and for l2tp guys pool is 192.168.206.0/24

Cisco Employee

Re: LT2P vpn configuration on cisco asa with windows/mac machine

1 possible workaround is to change the ip pool subnet mask from 255.255.255.0 to 255.255.0.0.

Change the mask for 192.168.205.0/24 to 192.168.205.0/16.

New Member

Re: LT2P vpn configuration on cisco asa with windows/mac machine

I think I should add 192.168.0.0/16

Cisco Employee

Re: LT2P vpn configuration on cisco asa with windows/mac machine

No, what i mean is change the ip pool mask from /24 to /16 on the ASA as follows:

ip local pool 192.168.205.1-192.168.205.254 mask 255.255.0.0

New Member

Re: LT2P vpn configuration on cisco asa with windows/mac machine

yes I got your point but what difference will it make??

Regards,

New Member

Re: LT2P vpn configuration on cisco asa with windows/mac machine

halijenn,

once i configure the nat exempt in the firewall it will automatically convert it to 192.168.0.0/16

actually I want this solution for mac basically but I thought if I can solve first on windows it will be easy for mac.

I dont think it is possible for windows too.

After connecting the l2tp vpn I can see 2 default routes one pointing to the vpn gateway and one pointing to original machine gateway with increased metric

Regards

Jvalin

Cisco Employee

Re: LT2P vpn configuration on cisco asa with windows/mac machine

If you change the mask to /16, it would appear as 192.168.0.0 once you are connected, and that route should point towards the vpn gateway. If you uncheck the "Use default gateway on remote network" option, then the default gateway would be your original machine gateway.

So because 192.168.0.0/16 points towards the vpn gateway, when you try to access your corporate internal networks which is in the 192.168.x.x/24 subnet range, it will be routed towards the vpn gateway. For everything else, it would route towards the original machine gateway.

With this solution, you don't even have to add any routes on the client pc.

1352
Views
0
Helpful
19
Replies
CreatePlease to create content