Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

remote access VPN issue

Guys we have remote windows machine which will use L2tP over IPSEC......i have successfully coinfigured it but i cant oing any network inside ASA.

I have few questions

My internal network connected to my inside is 192.168.1.0/24 (ip is 192.168.1.200/24)

I have created a local pool for remote user 192.168.1.1-192.168.1.2

can i use it as its overlapping.............my requirment is that when they conenct they shd be on same LAN and can use teh resources

My config is as below (Kindly see the NAT statement as well) 

I can ping from firewall to client machine but cant from machine to internal network

ip local pool L2TP-Pool 192.168.1.1-192.168.1.10

ASA(config)# object network Internal-Subnet

ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0

ASA(config-network-object)# object network L2TP-Subnet

ASA(config-network-object)# subnet 192.168.1.0 255.255.255.224

nat (inside,outside) source static Internal-Subnet Internal-Subnet destination static L2TP-Subnet L2TP-Subnet no-proxy-arp route-lookup

ASA(config)# access-list Split-Tunnel-ACL standard permit 192.168.100.0 255.255.255.0

ASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac

ASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport

ASA(config)# crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set

ASA(config)# crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP

ASA(config)# crypto map L2TP-VPN-MAP interface outside

ASA(config)# crypto ikev1 enable outside

ASA(config)# crypto ikev1 policy 5

ASA(config-ikev1-policy)# authentication pre-share

ASA(config-ikev1-policy)# encryption 3des

ASA(config-ikev1-policy)# hash sha

ASA(config-ikev1-policy)# group 2

ASA(config-ikev1-policy)# lifetime 86400

ASA(config-ikev1-policy)#

ASA(config)# group-policy L2TP-Policy internal

ASA(config)# group-policy L2TP-Policy attributes

ASA(config-group-policy)# vpn-tunnel-protocol l2tp-ipsec

ASA(config-group-policy)# split-tunnel-policy tunnelspecified

ASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel-ACL

ASA(config-group-policy)# intercept-dhcp enable

ASA(config-group-policy)# username petenetlive password password123 mschap

ASA(config)# tunnel-group DefaultRAGroup general-attributes

ASA(config-tunnel-general)# address-pool L2TP-Pool

ASA(config-tunnel-general)# default-group-policy L2TP-Policy

ASA(config-tunnel-general)# tunnel-group DefaultRAGroup ipsec-attributes

ASA(config-tunnel-ipsec)# ikev1 pre-shared-key 1234567890

ASA(config-tunnel-ipsec)# tunnel-group DefaultRAGroup ppp-attributes

ASA(config-ppp)# no authentication chap

ASA(config-ppp)# authentication ms-chap-v2

nat (inside,outside) source dynamic any interface

route outside 0.0.0.0 0.0.0.0 210.x.x.x.x

3 REPLIES
Cisco Employee

remote access VPN issue

As long as the pool ip is not being used anywhere you can use pool with the same range.

are you able to ping the inside interface of the ASA?

Do a show run man and make sure inside interface is your managemnet interface.

Please let me know if you can ping your inside interface.

New Member

Re: remote access VPN issue

Correct the split tunnel ACL and check it out.

From

access-list Split-Tunnel-ACL standard permit 192.168.100.0 255.255.255.0

to

access-list Split-Tunnel-ACL standard permit 192.168.1.0 255.255.255.0

________________

Best regards,
MB

________________ Best regards, MB
New Member

Re: remote access VPN issue

Sorry was typo the access list is 192.168.1.0/24 by mistake I have written 100 .....can you see what the issue is thanks

174
Views
0
Helpful
3
Replies