Re: How to create NAT exempt at ASA5506-X 9.8(2) version - Page 3

boris1asa · ‎01-15-2024

Hi,

I have a problem with ASA5506-X 9.8(2) since I cannot create L2TP VPN to ASA5506-X through ASDM. After completing the wizard I am getting an error that NAT is not complete.

I remember from old ASA5505 that there was easy to create NAT exempt rule. Now I cannot find it anymore. I am not vrey familiar with NAT creation by CLI so I see only "dark tunnel" in front of me.

So, can someone help me to create necessary NAT to enable remote access to internal LAN throught ASA 5506-X in order to support L2TP RA VPN to inside interface? I would like to enable split tunnel option and use NAT exempt rule that I cannot create by ASDM. Let the L2TP pool be e.g. 10.10.10.0/24.

MHM Cisco World · ‎02-11-2024

First add more option for encryption hash and group of phase 1
crypto ikev1 policy 100
authentication pre-share
encryption 3des des
hash sha md5
group 2 5
lifetime 86400

then share again

show crypto ikev1 sa
show vpn-sessiondb detail ra-ikev1-ipsec filter protocol l2tpOverIpsec

also can you confirm that you adjust the client PC for you split tunnel config ? can I see from client PC
L2TP VPN Properties page
advanced TCP/IP setting

MHM

boris1asa · ‎02-12-2024

hi MHM,

I cannot add both 3des and des... obviously there is a problem with sysntax that is preventing me to add two encryption types.

There is no special configuration part to enable split tunneling at win10 PC.

There is only:

CONNECTION NAME, IP ADRESS, VPN TYPE: L2TP/IPsec with PSK type, FIELD for PSK, USER and PASS.

MHM Cisco World · ‎02-12-2024

add new policy

crypto ikev1 policy 110
authentication pre-share
encryption des
hash md5
group 5
lifetime 86400

also what is OS of client PC?
MHM

boris1asa · ‎02-12-2024

Hi MHM,

I have restored old config without L2TP and tried to do the config again by some web instruction. The result seems to be better, there is no red marks in log. Check it please:

Marius Gunnerud · ‎02-11-2024

Please provide the L2TP configuration you have used.

Are you using the ASA (BVI interfaces) as a switch? If not I would recommend removing the BVI configuration from the device replacing it with regular ASA interface configuration. I have seen quite a few unexpected behavior with the integration of to the box traffic (i.e. VPN traffic) when using BVI.

--
Please remember to select a correct answer and rate helpful posts

boris1asa · ‎02-11-2024

Hi Marius,

Yes, I am using ASA as GB switch. I do not know how can I remove BVI configuration, else that using one port for one interface. Is there another way. My old ASA5505 dd not have this problem with BVI. There I had to make one rule that applied to one interface with 4-6 physical ports.

boris1asa · ‎02-11-2024

..

MHM Cisco World · ‎02-12-2024

can you please take screen shots of your wizard and win 10 VPN config
send it to me as PM
thanks a lot

MHM

boris1asa · ‎02-12-2024

Dear MHM,

I used the following procedure:

https://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/200340-Configure-L2TP-Over-IPsec-Between-Window.html

This is my other windows 7 PC, but VPN connection is the same as on windows 10 PC:

MHM Cisco World · ‎02-14-2024

the screenshot you share is correct

this log what I point to is relate to phaseI mismatch issue
can you try connect and share
debug crypto isakmp <<-
MHM

boris1asa · ‎02-15-2024

There it is:

mojaasa02(config)# debug crypto isakmp
mojaasa02(config)# Feb 15 16:32:44 [IKEv1]Group = 37.244.199.129, IP = 37.244.199.129, Can't find a valid tunnel group, aborting...!
Feb 15 16:32:45 [IKEv1]IP = 37.244.199.129, Header invalid, missing SA payload! (next payload = 4)
Feb 15 16:32:46 [IKEv1]IP = 37.244.199.129, Header invalid, missing SA payload! (next payload = 4)
Feb 15 16:32:49 [IKEv1]IP = 37.244.199.129, Header invalid, missing SA payload! (next payload = 4)
Feb 15 16:32:56 [IKEv1]IP = 37.244.199.129, Header invalid, missing SA payload! (next payload = 4)
Feb 15 16:33:11 [IKEv1]IP = 37.244.199.129, Header invalid, missing SA payload! (next payload = 4)

You are looking at old log screenshot since I tried to kreate a new tunnel, this time without split tunnel according to other tutorial. The result log I posted to You yesterday at:

02-12-2024 11:35 AM

Bellow is that log:

No red lines any more. It should be better.

boris1asa · ‎02-15-2024

Dear MHM,

should the IP Pool be the same as INSIDE subnet or not?

MHM Cisco World · ‎02-15-2024

1- for Pool subnet it must different than Inside

2- add SVC to group-policy
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol svc l2tp-ipsec

3-for username you add to ASA local DB follow this guide and check green note I add below
https://www.speaknetworks.com/configuring-l2tp-ipsec-vpn-cisco-asa/

username vpnuser password PASS123 mschap <<- this need in end of username/password

MHM Cisco World · ‎02-15-2024

do that same steps as you do in original post (split and l2tp/ipsec) and only modify the group-policy vpn-tunnel-group and add username correctly

MHM