Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2176
Views
0
Helpful
2
Replies

change ipsec vpn to L2tp over ipsec vpn at ASA 5510

teymur azimov
Level 1
Level 1

‎11-15-2011 11:27 AM - edited ‎02-21-2020 05:42 PM

Hi dear. i configurated ipsec vpn at cisco asa 5510. all them are working very well. now i want to change ipsec remote vpn to L2tp over ipsec.

i have router, asa and 3750 switch. all nat translation are done at router , ipsec vpn configurate at asa.

i passed some rrouter configuration.

interface GigabitEthernet0/0

ip address x.x.x.106 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface GigabitEthernet0/1

description connect to ASA outside

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

standby delay minimum 20 reload 20

standby 10 ip 10.0.0.4

standby 10 priority 110

standby 10 preempt delay minimum 20 reload 20 sync 10

standby 10 name Redundancy

!

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat Stateful id 1

  redundancy Redundancy

   mapping-id 1

   protocol   udp

ip nat inside source static udp 10.0.0.2 500 x.x.1x.6 500 redundancy Redundancy mapping-id 1 extendable

ip nat inside source static udp 10.0.0.2 4500 x.x.x.6 4500 redundancy Redundancy mapping-id 1 extendable

ASA configuration:some config

i

nterface Ethernet0/0

description connect to RTR1 inside

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.0 standby 10.0.0.3

access-list nonat extended permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list Split_Tunnel standard permit 172.16.10.0 255.255.255.0

access-list Split_Tunnel standard permit 172.30.30.0 255.255.255.0

access-list Split_Tunnel standard permit 192.168.193.0 255.255.255.0

access-list Split_Tunnel standard permit 10.10.1.0 255.255.255.0

access-list Split_Tunnel standard permit 192.168.200.0 255.255.255.0

access-list Split_Tunnel standard permit 172.30.60.0 255.255.255.0

access-list nonat_inside extended permit ip 192.168.193.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat_inside extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat_inside extended permit ip 172.30.60.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list nonat_inside

nat (DMZ) 0 access-list nonat

aaa-server cosmoasa1 protocol radius

aaa-server cosmoasa1 (inside) host x.x.x.11

key cosmoasa1test

radius-common-pw cosmoasa1test

aaa authentication ssh console LOCAL

http server enable

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto dynamic-map DYN_MAP 10 set reverse-route

crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

telnet timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy RAVPN internal

group-policy RAVPN attributes

dns-server value x.x.x.x

vpn-idle-timeout 45

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel

default-domain value azercosmos.local

username cisco password HWFflA1bzYiq7Uut encrypted

username risk password 05of5udE1HAoaxcl encrypted

tunnel-group xxxx type remote-access

tunnel-group xxxx general-attributes

address-pool VPNPOOL

authentication-server-group cosmoasa1

default-group-policy RAVPN

tunnel-group xxxx ipsec-attributes

pre-shared-key *

this is my ipsec configuration. this is working config. as you see i do static nat asa outside ip for vpn at router. now i want l2tp over ipsec.

before i do it i have some question

1. must i do static nat port  udp 1701 for l2tp over ipsec vpn?  can i write access list at asa to open port 1701?

2. can i remove this  static nat or i can not be change anything.is this nat is true for l2tp over ipsec vpn?

ip nat inside source static udp 10.0.0.2 500 1x.x.1x.6 500 redundancy Redundancy mapping-id 1 extendable

ip nat inside source static udp 10.0.0.2 4500 x.x.x.6 4500 redundancy Redundancy mapping-id 1 extendable

ip nat inside source static udp 10.0.0.2 1701 1x.x.x.6 1701 redundancy Redundancy mapping-id 1 extendable

3.as you see user authentication from radius server at ipsec vpn. i also want this is same as l2tp over ipsec vpn..

4. i think that i must be add this addtional config. is this true?

tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2

vpn-tunnel-protocol IPSec l2tp-ipsec

is this config enougth for l2tp over ipsec vpn?? what is addtional config i need??

please help  me.

Labels:
0 Helpful
2 Replies 2

Farrukh Haroon
VIP Alumni
VIP Alumni

‎11-23-2011 05:04 AM

Hello

Please see the following link for a complete example, a much easier approach is to remove the IPSec config and then start the L2TP config, will confuse you less

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml

Regards

Farrukh

0 Helpful

teymur azimov
Level 1
Level 1
In response to Farrukh Haroon

‎11-23-2011 05:33 AM

Thanks Dear Farrukh to answer me. i read this link before. i have exact questions.

1. as you see my configuration asa behind the nat device which is router at my topology. i read at cisco forum guys wrote:

L2tp over ipsec for an ASA behind a nat device is not usual configuration the ASA supports. is he rigth?

2.is it possibly i configurate split-tunnel at l2tp over ipsec vpn? is split-tunnel is work??

3.at ipsec vpn i wrote static nat and when i configurate l2tp over ipsec vpn which nat i must be write??

both of them?? or i write one or two of them?? i want to do static port translation.

ip nat inside source static udp 10.0.0.2 500 1x.x.1x.6 500 redundancy Redundancy mapping-id 1 extendable

ip nat inside source static udp 10.0.0.2 4500 x.x.x.6 4500 redundancy Redundancy mapping-id 1 extendable

ip nat inside source static udp 10.0.0.2 1701 1x.x.x.6 1701 redundancy Redundancy mapping-id 1 extendable

this is my question. please if you know answer help me.

thanks

0 Helpful
Customers Also Viewed These Support Documents