How to create NAT exempt at ASA5506-X 9.8(2) version - Page 2

boris1asa · ‎01-15-2024

Hi,

I have a problem with ASA5506-X 9.8(2) since I cannot create L2TP VPN to ASA5506-X through ASDM. After completing the wizard I am getting an error that NAT is not complete.

I remember from old ASA5505 that there was easy to create NAT exempt rule. Now I cannot find it anymore. I am not vrey familiar with NAT creation by CLI so I see only "dark tunnel" in front of me.

So, can someone help me to create necessary NAT to enable remote access to internal LAN throught ASA 5506-X in order to support L2TP RA VPN to inside interface? I would like to enable split tunnel option and use NAT exempt rule that I cannot create by ASDM. Let the L2TP pool be e.g. 10.10.10.0/24.

MHM Cisco World · ‎02-11-2024

crypto map (dynamic) not crypto ACL you use
MHM

boris1asa · ‎02-11-2024

bellow

boris1asa · ‎02-11-2024

All about crypto:

crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

MHM Cisco World · ‎02-11-2024

Are you use same PSK for both L2L and RA? If yes change PSK

MHM

boris1asa · ‎02-11-2024

No, PSK is different for RA. Is there some test, some command that I can run on my ASA. Maybe You can get more info from such test?

Marius Gunnerud · ‎02-11-2024

Run som debugs while you are testing the connection.

debug lt2p 255

debug crypto ikev1 255

debug crypto ipsec 255

--
Please remember to select a correct answer and rate helpful posts

boris1asa · ‎02-11-2024

I am getting errors for all three commands when I run them through SSH. DEBUG is not supported on CLI window at ASDM.

So, how can I run those tests? Is there some syntax error?

Marius Gunnerud · ‎02-11-2024

you need to run the commands from the CLI not from the ASDM GUI.

--
Please remember to select a correct answer and rate helpful posts

boris1asa · ‎02-11-2024

That is not possible. I wrote in previous mail that DEBUG commands are not supported in CLI @ ASDM. Pls, check the log bellow.

Marius Gunnerud · ‎02-12-2024

I don't have an ASA version 9.8 that I can test on as this is quite an old version. If you type in debug crypto ikev1 ? and see what options there are. It might be debug crypto ikev1 sa 255, as for debugging l2tp you will again need to use the ? to see what the options are.

--
Please remember to select a correct answer and rate helpful posts

boris1asa · ‎02-12-2024

Dear Marius,

I posted bellow @MHM Cisco World my new result of completely new configuration without split tunneling. Could You check it please? I posted it with time stamp 02-12-2024 11:35 AM

Marius Gunnerud · ‎02-12-2024

Have you enabled ikev2 on the outside interface? I did not see the command in the configuration you posted.

crypto ikev2 enable outside

--
Please remember to select a correct answer and rate helpful posts

boris1asa · ‎02-12-2024

well, I put crypto ikev1 enable outside

but it did not bring anything new. ASA log is the same as before.

I am not using ikev2.

Marius Gunnerud · ‎02-12-2024

run some debugs commands as I mentioned. If debug crypto ikev1 255 is not available then try debug crypto ikev1 sa 255 or even debug crypto isakmp 255. Also check to see if debug l2tp is available. once you have some debugs setup try connecting and then post the output here for analysis (preferably in attached txt).

We need some debugs to help identify what is happening.

--
Please remember to select a correct answer and rate helpful posts

boris1asa · ‎02-11-2024

This is what I get in log when trying to connect from Windows 10 L2TP connection: