Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
0
Helpful
3
Replies

Howto route traffic coming from L2TP connection to existing IPSEC tunnels ?

Jos Walters
Level 1
Level 1

‎08-17-2019 12:11 PM

Dear Readers,  i have a question which i cannot solve after reading multiple Cisco ASA 5508-X docs. The issue is the following:

 

We have one Cisco ASA 5508 in our firm which handles multiple IPSEC tunnels to our customers, including SNAT and DNAT configurations.

 

We use the L2TP Client vpn connections for our employees to connect to our local lan which is behind the inside interface.

 

Now the new question pops-up, our employees need also to be able to connect to the networks with are protected by the IPSEC tunnels.

 

If someone has any clue how to config the ASA to get it to work , that would be very helpfull..

Thanks in advance,

Jos Walters

 

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎08-17-2019 04:37 PM

You need to follow below approach :

 

1. what is the IP address range for the L2TP clients get from your remote VPN.

2. if your L2TP client requires to access to protected remove site ipsec tunnel site.

3. make sure you allow both the side intrested traffic of the VPN IP range.

4. i am in assumption your undelay routing can able to reach in the network, if not you required some staticcor dynamic routing to go out for that IPSEC range IP address.

 

example :  remote vpn users get 10.10.10.x/24, this need to be allowed in IPSEC tunnel to access the resources.

 

make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Jos Walters
Level 1
Level 1
In response to balaji.bandi

‎08-18-2019 08:49 PM

Good Morning,

 

this is the message i  receive :

 

Aug 19 2019 05:40:59 172.25.1.3 LOCAL 10.24.205.144 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:172.25.1.3(LOCAL\jwal) dst outside:10.24.205.144 (type 8, code 0) denied due to NAT reverse path failure

 

the 172.25.1.* is the asa dhcp pool and 10.24.25.144 is the final destination which is already snat-ed 

 

If i use a second asa (5505 ) as L2TP entry device and connect both inside interface to each other ( also added routing info ) then it works without any issues, but if you use IPSEC tunnels and L2TP connections on one and the same ASA it seams to have some issues.

 

And ofcouse a jumphost could also be an option , but cannot sell this after investing in new security appl.

 

Jos

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎08-17-2019 09:51 PM

Personally. I would use a jumpbox to achive this. 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card