cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
705
Views
0
Helpful
3
Replies

Howto route traffic coming from L2TP connection to existing IPSEC tunnels ?

Jos Walters
Level 1
Level 1

Dear Readers,  i have a question which i cannot solve after reading multiple Cisco ASA 5508-X docs. The issue is the following:

 

We have one Cisco ASA 5508 in our firm which handles multiple IPSEC tunnels to our customers, including SNAT and DNAT configurations.

 

We use the L2TP Client vpn connections for our employees to connect to our local lan which is behind the inside interface.

 

Now the new question pops-up, our employees need also to be able to connect to the networks with are protected by the IPSEC tunnels.

 

If someone has any clue how to config the ASA to get it to work , that would be very helpfull..

Thanks in advance,

Jos Walters

 

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

You need to follow below approach :

 

1. what is the IP address range for the L2TP clients get from your remote VPN.

2. if your L2TP client requires to access to protected remove site ipsec tunnel site.

3. make sure you allow both the side intrested traffic of the VPN IP range.

4. i am in assumption your undelay routing can able to reach in the network, if not you required some staticcor dynamic routing to go out for that IPSEC range IP address.

 

example :  remote vpn users get 10.10.10.x/24, this need to be allowed in IPSEC tunnel to access the resources.

 

make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Good Morning,

 

this is the message i  receive :

 

Aug 19 2019 05:40:59 172.25.1.3 LOCAL 10.24.205.144 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:172.25.1.3(LOCAL\jwal) dst outside:10.24.205.144 (type 8, code 0) denied due to NAT reverse path failure

 

the 172.25.1.* is the asa dhcp pool and 10.24.25.144 is the final destination which is already snat-ed 

 

If i use a second asa (5505 ) as L2TP entry device and connect both inside interface to each other ( also added routing info ) then it works without any issues, but if you use IPSEC tunnels and L2TP connections on one and the same ASA it seams to have some issues.

 

And ofcouse a jumphost could also be an option , but cannot sell this after investing in new security appl.

 

Jos

Dennis Mink
VIP Alumni
VIP Alumni

Personally. I would use a jumpbox to achive this. 

Please remember to rate useful posts, by clicking on the stars below.

Review Cisco Networking for a $25 gift card