cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1605
Views
0
Helpful
0
Replies

ASA 5506 VPN configuration problem

krzysztof.
Beginner
Beginner

Hello, 
I am trying to create l2tp/isec VPN tunnel on our ASA 5506, but unfortunatelly I don't know why I have no access to my local network when I am connected Over VPN. Could anyone help me with this?

my config:

: Saved

: 

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

!
ASA Version 9.6(1) 
!
hostname xxx
enable password xxxx encrypted
names
ip local pool VPNPOOL 192.168.130.10-192.168.130.250 mask 255.255.255.0

!
interface GigabitEthernet1/1
 description WAN1 3S
 nameif outside
 security-level 0
 ip address xx.xx.xx yy.yy.yy.yy 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.100.200 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.130.0_24
 subnet 192.168.130.0 255.255.255.0
object network 3S
 host xx.xx.xx.xx
object network NETWORK_OBJ_192.168.130.0
access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.130.0_24 xx.xx.xx.xx yy.yy.yy.yy 
access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.130.0_24 interface inside 
access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.130.0_24 192.168.100.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.130.0_24 NETWORK_OBJ_192.168.130.0_24 no-proxy-arp route-lookup
nat (outside,inside) source static NETWORK_OBJ_192.168.130.0_24 NETWORK_OBJ_192.168.130.0_24
!
object network obj_any
 nat (any,outside) dynamic interface
object network 3S
 nat (any,any) static NETWORK_OBJ_192.168.130.0_24
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.100.200,CN=aaaa
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
 enrollment self
 fqdn none
 subject-name CN=192.168.100.200,CN=aaaa
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_2
 enrollment self
 fqdn none
 subject-name CN=192.168.100.200,CN=aaaa
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate 1517965e
    308202d0 308201b8 a0030201 02020415 17965e30 0d06092a 864886f7 0d010105 
    0500302a 310e300c 06035504 03130565 61676c65 31183016 06035504 03130f31 
    39322e31 36382e31 30302e32 3030301e 170d3230 30343134 32303134 33355a17 
    0d333030 34313232 30313433 355a302a 310e300c 06035504 03130565 61676c65 
    31183016 06035504 03130f31 39322e31 36382e31 30302e32 30303082 0122300d 
    06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100c2 6280772f 
    3d0510c0 40f5dc43 57545a07 a5738719 9cf95179 d2d11a6f 3539d27e 628c78a0 
    573ea17f 9e9eea0d 93bc5961 4b8c87cb 71357398 c035fb50 bb11618b a5f181a3 
    fc65f4ea f5df20f5 0fc1a495 b358d0e0 3ceb54e6 c37296e0 1ef55237 704fe28f 
    8cac703f 7a228093 b3fcb7af 3f704431 94ecd942 925d2c4a f22cd306 d1ecb36f 
    d5199992 a127b24d c8b41d44 f5bea82a 839a1e3a dabfa527 663b1081 10eef57b 
    118bcd61 a1c5c51f ec0b738b 014f2fa2 e85adb75 ddb4d58e deb1e027 31291118 
    7877db98 b871d7ff ad9dd6c7 d242db38 90a465f7 28650300 8e3a2486 191d3378 
    af01e18a 8ef2ca4b 8841cb18 90110549 f6dc3bfc 950e8cbe 48987102 03010001 
    300d0609 2a864886 f70d0101 05050003 82010100 bf724830 28cb776a 47cf0d3d 
    ad528e3a 201ecacf d35f993f e0b29541 31730aae b0658850 b2b91366 988e49d6 
    ebcc9e71 7858a579 bbb7d627 57ab0211 7dd5e4d1 3916a914 36894c67 2c2b158b 
    2b932697 a5e387a9 7ea29e7b 42433641 8b629936 d75dc85f 379face8 e7cccfa4 
    4bbe162c 3f92bb4a ded9e1be a97461e3 f3ff9d5c aa39c646 b3b6132a 90cd8e55 
    a2914c09 183a702f 4a476db5 c2cfe5b8 75f4c3e7 2da23502 e33303a7 d44510f0 
    b4e87b9a ed66ed46 ff44cdd6 427f5dc2 3b015769 5ecb902a ead81ce9 0a6040c9 
    1674c5f4 b88acc06 e5591912 ec58f3ae c12a3839 db888698 f877d03b ced5b477 
    799e1b1d bf49f5d8 b5871c1e 75938726 8e78661d
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
 certificate 6b1c965e
    308202d0 308201b8 a0030201 0202046b 1c965e30 0d06092a 864886f7 0d010105 
    0500302a 310e300c 06035504 03130565 61676c65 31183016 06035504 03130f31 
    39322e31 36382e31 30302e32 3030301e 170d3230 30343233 31333232 35305a17 
    0d333030 34323131 33323235 305a302a 310e300c 06035504 03130565 61676c65 
    31183016 06035504 03130f31 39322e31 36382e31 30302e32 30303082 0122300d 
    06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100c2 6280772f 
    3d0510c0 40f5dc43 57545a07 a5738719 9cf95179 d2d11a6f 3539d27e 628c78a0 
    573ea17f 9e9eea0d 93bc5961 4b8c87cb 71357398 c035fb50 bb11618b a5f181a3 
    fc65f4ea f5df20f5 0fc1a495 b358d0e0 3ceb54e6 c37296e0 1ef55237 704fe28f 
    8cac703f 7a228093 b3fcb7af 3f704431 94ecd942 925d2c4a f22cd306 d1ecb36f 
    d5199992 a127b24d c8b41d44 f5bea82a 839a1e3a dabfa527 663b1081 10eef57b 
    118bcd61 a1c5c51f ec0b738b 014f2fa2 e85adb75 ddb4d58e deb1e027 31291118 
    7877db98 b871d7ff ad9dd6c7 d242db38 90a465f7 28650300 8e3a2486 191d3378 
    af01e18a 8ef2ca4b 8841cb18 90110549 f6dc3bfc 950e8cbe 48987102 03010001 
    300d0609 2a864886 f70d0101 05050003 82010100 6235928c 971f34f1 c15ca003 
    3d76f122 b8d1aeb7 056d86a7 20f2a493 7efee4fd 982e08cf 57cca0f9 c48943ed 
    47ad27b1 8d7efd65 0bdabb9c dd7fba95 3a02bcfc 1e9a0f07 1cff1161 42fd75d4 
    ba64a38f cb662172 8623ec36 873301c7 7c7afc92 df9e4f7b 3d677d39 596567f5 
    cc3c7e6f b76e6196 bb689a86 f5321778 d3847ac1 8bc954ea 1516f794 3cad8ef1 
    50739e9e 3bda0b6a c7abd3dc aa1d94c0 405db755 6e9edd3c 2723ee6c d1216540 
    9b123eb5 5b896ce8 610606c9 11e2b743 ac2031cd b00ba64d c030dcbb e673c490 
    73ad3f81 89847161 9f038fbb d4114ca5 8b2bd1d9 96c61f59 a06fc0be 11159ad9 
    e968a4d8 d7a99f6b eb6bb440 b1d88189 284f79f5
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_2
 certificate 6c1c965e
    308202d0 308201b8 a0030201 0202046c 1c965e30 0d06092a 864886f7 0d010105 
    0500302a 310e300c 06035504 03130565 61676c65 31183016 06035504 03130f31 
    39322e31 36382e31 30302e32 3030301e 170d3230 30343237 31343530 33325a17 
    0d333030 34323531 34353033 325a302a 310e300c 06035504 03130565 61676c65 
    31183016 06035504 03130f31 39322e31 36382e31 30302e32 30303082 0122300d 
    06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100c2 6280772f 
    3d0510c0 40f5dc43 57545a07 a5738719 9cf95179 d2d11a6f 3539d27e 628c78a0 
    573ea17f 9e9eea0d 93bc5961 4b8c87cb 71357398 c035fb50 bb11618b a5f181a3 
    fc65f4ea f5df20f5 0fc1a495 b358d0e0 3ceb54e6 c37296e0 1ef55237 704fe28f 
    8cac703f 7a228093 b3fcb7af 3f704431 94ecd942 925d2c4a f22cd306 d1ecb36f 
    d5199992 a127b24d c8b41d44 f5bea82a 839a1e3a dabfa527 663b1081 10eef57b 
    118bcd61 a1c5c51f ec0b738b 014f2fa2 e85adb75 ddb4d58e deb1e027 31291118 
    7877db98 b871d7ff ad9dd6c7 d242db38 90a465f7 28650300 8e3a2486 191d3378 
    af01e18a 8ef2ca4b 8841cb18 90110549 f6dc3bfc 950e8cbe 48987102 03010001 
    300d0609 2a864886 f70d0101 05050003 82010100 36638c81 fef725e5 5757f790 
    063cdcad 6c3eadfd 4792046f 9217fd1a 52520a2f 0c712c7e 01037008 8e7661de 
    bbb1ad61 31125775 8cd5083b b82940f1 7b8e4aa9 8d7b9878 4450557e 5ba42591 
    3aab68c4 a6500030 9e7e15e8 32e3a54b 08474289 23fbfc26 82b69e36 269234ed 
    d8ef9f7a 71f48ce2 134c7f72 0c39b39c 37a3b09c 85c7bb2a 737f4b21 c296c8f5 
    2bf4fe8c a312c9b5 57d19ffb 5ab9880a dd5275d6 7945c1cf 52a47b2a 783e1061 
    737efbed c2269584 4f2eede4 5d0e80b6 7ecf8e58 e2d0e780 c25b778b f76930a9 
    074fe704 c9646a63 ee6a1821 459094c0 442830d5 4c4dd9c0 ed514be9 37f20f10 
    e7bb099c 7d2a796e 0abf96af 8c6760b8 6dc30127
  quit
crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 inside vpnlb-ip
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-tunnel-protocol l2tp-ipsec 
dynamic-access-policy-record DfltAccessPolicy
tunnel-group DefaultRAGroup general-attributes
 address-pool VPNPOOL
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key 1qaz2wsx3edc4rfv5tgb
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
: end

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: