Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
829
Views
0
Helpful
2
Replies

L2TP not getting through ASA box

asgeirbjarnason
Level 1
Level 1

‎08-27-2019 04:38 PM

I'm trying to introduce a Cisco ASA firewall instead of a ISP supplied Cisco 892 router at one of the companies that I contract for. The problem is, they have both a site-to-site VPN that needs to terminate on the ASA itself and a Windows Server that needs to sit behind the ASA that acts as a L2TP/IPSec VPN endpoint for remote-access users.

 

I got the L2TP/IPSec to work for split-second by running the command "sysopt connection permit-vpn," but as soon as I enabled the site-to-site IPSec tunnel that terminates on the ASA itself I couldn't use the L2TP VPN anymore and I have no idea why.

 

There are three interfaces that I think are relevant here:

  • outside (eth1/1.38), the internet connection of the site. Security level 0
  • inside-public-ips (eth1/2.2), a small /29 subnet of public IP addresses. The public end of the VPN server is here. Was security level 30 but I tried changing to security level 0 (to see if the same-security permit rules would help).
  • inside (eth1/2), the regular office network, wifi and wired desktops and laptops. RFC 1918 subnet (192.168.200.0/24). Security level 50. The VPN server has a NIC on this subnet to let through the de-tunneled traffic from VPN clients.

 

There are a few other subinterfaces that probably aren't pertinent here, but I'm willing to go into further detail if anybody thinks it helps.

 

When I remote desktop onto the VPN server and go to whatsmyip.com I get the IP address I'm expecting, so I'd guess that this isn't a NAT problem.

 

I stripped all the firewall rules, just put in dummy rulesets that permit ip any any, so there shouldn't be any explicit firewall rules stopping the traffic. Each of these three interfaces has their own dummy ruleset applied to it.

 

I added inspect ipsec-pass-thru and ipsect pptp to the policy-map global-policy and sysopt connection permit-vpn. I've never actually had to pass IPSec or L2TP traffic through an ASA box (rather then terminate it on the ASA box itself) so I'm kinda blind to what the problem could be and I don't know where to start looking for the underlying problem. Any suggestions?

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎08-28-2019 01:06 AM

Hello,

 

better to post the full running configuration of the ASA.

 

If your access lists allow everything, UDP 500 and UDP 4500 should be allowed as well, so that cannot be the problem...

 

NAT-T (traversal is enabled by default) I think. Check if it is, and toggle it to on/off. I don't know if the Windows L2TP server requires it or not.

0 Helpful

asgeirbjarnason
Level 1
Level 1
In response to Georg Pauwen

‎08-28-2019 05:13 AM - edited ‎08-28-2019 05:17 AM

Hi Georg. Thanks for the pointer of adding the config. I'm attaching it now. I anonymized the public IP addresses by substituting them with RFC5737 addresses and changed all references to the company name to CORP. Otherwise this config is verbatim.

 

Regarding NAT-T, I'm not sure that applies here. The server the receives the L2TP/IPSec is on a public IP address so there is no NAT going on on the ASA side. Do you mean that NAT-T has to be specifically turned on in the inspection engine even for passthrough traffic that isn't network-translated on the ASA side?

Preview file
16 KB
0 Helpful
Customers Also Viewed These Support Documents