Solved: Remote access vpn between win 10 and asa 5506

Talha · ‎04-16-2019

Hello,

I am trying to follow the following guide to config win 10 remote access vpn to asa 5506 on adsm

www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/200340-Configure-L2TP-Over-IPsec-Between-Window.html

But the issue is when I am connected to vpn I cant connect to internet on local machine. I can rdp to remote network machines but my local machine is dropping internet as soon as I connect to vpn. If I uncheck Use default gateway on remote network option (as shown in the guide in last part)I am getting the internet on local machine but cant connect to remote rdp. Below is my asa config for reference. Can someone please advise .

^
ERROR: % Invalid input detected at '^' marker.
ASA(config)# sh run
: Saved

:
: Serial Number: JAD190503LF
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1249 MHz, 1 CPU (4 cores)
:
ASA Version 9.3(2)2
!
hostname ASA
enable password rertgrer encrypted
passwd dfgdfgsd encrypted
names
ip local pool XzibitPool 10.10.10.5-10.10.10.50 mask 255.255.255.0
!
interface GigabitEthernet1/1
description Lan Interface
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet1/2
description Wan Interface
nameif Outside
security-level 0
ip address 1.1.1.1 255.255.255.224
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup Outside
dns domain-lookup management
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.10.10.0_26
subnet 10.10.10.0 255.255.255.192
object network PFORWARD-EXT
host 1.1.1.1
object network PFORWARD-INT
host 192.168.0.10
object network NETWORK_OBJ_1.1.1.64_27
subnet 1.1.1.64 255.255.255.224
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
access-list Outside extended permit icmp any4 any4 echo
access-list Outside extended permit tcp any object PFORWARD-INT
access-list Outside extended permit ip 10.10.10.0 255.255.255.192 192.168.0.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 10.10.10.0 255.255.255.192
access-list DefaultRAGroup_splitTunnelAcl standard permit 1.1.1.64 255.255.255.224
access-list DefaultRAGroup_splitTunnelAcl standard permit host 192.168.0.0
access-list DefaultRAGroup_splitTunnelAcl_2 standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu Outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static NETWORK_OBJ_10.10.10.0_26 NETWORK_OBJ_10.10.10.0_26
nat (inside,Outside) source static any any destination static NETWORK_OBJ_10.10.10.0_26 NETWORK_OBJ_10.10.10.0_26 no-proxy-arp route-lookup
nat (Outside,Outside) source static any any destination static NETWORK_OBJ_10.10.10.0_26 NETWORK_OBJ_10.10.10.0_26 no-proxy-arp route-lookup
nat (Outside,Outside) source static NETWORK_OBJ_1.1.1.64_27 NETWORK_OBJ_1.1.1.64_27 destination static NETWORK_OBJ_10.10.10.0_26 NETWORK_OBJ_10.10.10.0_26 no-proxy-arp route-lookup
nat (inside,Outside) source static NETWORK_OBJ_10.10.10.0_26 NETWORK_OBJ_10.10.10.0_26 destination static NETWORK_OBJ_10.10.10.0_26 NETWORK_OBJ_10.10.10.0_26 no-proxy-arp route-lookup
nat (inside,Outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_10.10.10.0_26 NETWORK_OBJ_10.10.10.0_26 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,Outside) dynamic interface
access-group Outside in interface Outside
route Outside 0.0.0.0 0.0.0.0 192.168.240.1 1
route Outside 0.0.0.0 0.0.0.0 1.1.1.65 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=192.168.1.1,CN=XzibitASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 65e6ad5c
308201ff 30820168 a0030201 02020465 e6ad5c30 0d06092a 864886f7 0d010105
05003044 31123010 06035504 03130958 7a696269 74415341 31143012 06035504
03130b31 39322e31 36382e31 2e313118 30160609 2a864886 f70d0109 02160958
7a696269 74415341 301e170d 31393034 31313134 33353436 5a170d32 39303430
38313433 3534365a 30443112 30100603 55040313 09587a69 62697441 53413114
30120603 55040313 0b313932 2e313638 2e312e31 31183016 06092a86 4886f70d
01090216 09587a69 62697441 53413081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100c9 24bcc4ff e59cb89a 93a8494c a8265374 6374dc10
52b6a2ce f1c9f1ab bfa71aae 4568695d 1da2831f bc1c69c0 a001ab5c a95fbeca
253d8703 97160a22 08f37835 cd8ff248 7c1b618b 597bf82c 6df1d1dc fb40246a
c5fca79c 0376f11d c9c7ee7d ee9b8638 40412640 92b69c3f 66c8a05a 704e4549
7e66f13a c439de02 ef197502 03010001 300d0609 2a864886 f70d0101 05050003
81810024 fa8356d6 93d9459f d1ab954d 24433c37 32729a05 275e2138 1f723480
8677fb60 170ed77b a3344bc9 6519cee8 cfdf7a66 3dcf957f 66c5baab 9dd052ca
10739e67 14390455 7bddafbc 634403d7 49f45ab4 a1514cbc aa68d2b1 419d3f8a
fa8453eb 216fb6b9 f2df7de0 f40a3d54 cc589351 ed812550 4460eb51 c29e947f
b9d702
quit
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd option 3 ip 192.168.0.1
!
dhcpd address 192.168.0.110-192.168.0.200 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management vpnlb-ip
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_2
split-tunnel-all-dns disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
username cisci password AY0gSoQxp.h. encrypted
username john password Okr7s/== nt-encrypted privilege 0
username john attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool XzibitPool
default-group-policy DefaultRAGroup
nat-assigned-to-public-ip Outside
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0586cfc059cca43c28f3c8a55b7f111c
:ASA(config)#

Alan Ng'ethe · ‎04-22-2019

Thanks for these. I quickly labbed this setup, and ended up with results not much different than yours. For some reason the configuration of L2tp/IPSec does not 'allow' routes for the protected inside network to be pushed down to the Windows 8 client. The 'route print' results confirm that.

Some research i did is pointing me in the direction of manually adding static routes to the desired networks into the routing table of the Win8 client after the VPN is established. Its probably a shortcoming of the ppp or Win8 vpn client. I can see how this can be a nightmare in a large deployment, but at the moment it seems the only way to make it work. I haven't tried it myself, but will give it a go as soon as I have a chance. Please try it and advise on the outcome.

See the following link

Configuring Split Tunnel Client VPN

See also the VPN type:

L2TP/IPSEC PSK VPN

Note: There could be another way to make this work, and i hope somebody can offer a solution that's closer to the step by step guide done by Cisco that you shared earlier.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

View solution in original post

Alan Ng'ethe · ‎04-20-2019

Hi,

I am not sure what method you used at step 11, but I would definitely check the box to disable 'full tunneling'. The symptoms you describe suggest that 'full tunneling' may be causing your problem.

Step 11: Ensure that Enable Perfect Forwarding Secrecy (PFS) box is unchecked as some client platforms do not support this feature. Enable split tunneling to let remote users have simultaneous encrypted access to the resources defined above, and unencrypted access to the internet box is unchecked which means the full tunneling is enabled in which all traffic (including internet traffic) from the client machine will be sent to the ASA over the VPN tunnel. Click Next.

What are your Windows ip settings when you connect to the VPN, when you leave out the 'use default gateway on remote network' setting? What are they when you check it?

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

Talha · ‎04-22-2019

Hi Alan,

thanks for response.

yes PFS settings are unchecked and I also checked the Enable split tunneling to let remote users have simultaneous encrypted access to the resources defined above, and unencrypted access to the internet for split tunneling.

I will paste the route output as George asked to see if that can help us understand the issue.

Talha · ‎04-22-2019

Hi Alan,

these are the IP settings when use default gateway on remote network is unchecked

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP-FBD8R9
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ZyXEL-USG

Ethernet adapter VirtualBox Host-Only Network #2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter #2
Physical Address. . . . . . . . . : 0A-00-27-00-00-03
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d410:2bbd:c9ad:495c%3(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 151650343
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-C2-3B-2E-00-23-24-AD-BB-E4
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : ZyXEL-USG
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
Physical Address. . . . . . . . . : 00-23-24-AD-BB-E4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9120:b98a:c39a:e98e%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.240.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, April 15, 2019 5:59:26 PM
Lease Expires . . . . . . . . . . : Tuesday, April 23, 2019 5:59:27 PM
Default Gateway . . . . . . . . . : 192.168.240.1
DHCP Server . . . . . . . . . . . : 192.168.240.1
DHCPv6 IAID . . . . . . . . . . . : 201335588
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-C2-3B-2E-00-23-24-AD-BB-E4
DNS Servers . . . . . . . . . . . : 8.8.8.8
192.168.240.1
NetBIOS over Tcpip. . . . . . . . : Disabled

PPP adapter Xzibit:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Xzibit
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.10.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:34f1:8072:2070:30cf:30dc:dfb4(Preferred)
Link-local IPv6 Address . . . . . : fe80::2070:30cf:30dc:dfb4%15(Preferred)
Default Gateway . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 587202560
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-C2-3B-2E-00-23-24-AD-BB-E4
NetBIOS over Tcpip. . . . . . . . : Disabled

And with use default gateway on remote network is checked

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP-FBD8R9
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ZyXEL-USG

Ethernet adapter VirtualBox Host-Only Network #2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter #2
Physical Address. . . . . . . . . : 0A-00-27-00-00-03
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d410:2bbd:c9ad:495c%3(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 151650343
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-C2-3B-2E-00-23-24-AD-BB-E4
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : ZyXEL-USG
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
Physical Address. . . . . . . . . : 00-23-24-AD-BB-E4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9120:b98a:c39a:e98e%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.240.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, April 15, 2019 5:59:26 PM
Lease Expires . . . . . . . . . . : Tuesday, April 23, 2019 5:59:27 PM
Default Gateway . . . . . . . . . : 192.168.240.1
DHCP Server . . . . . . . . . . . : 192.168.240.1
DHCPv6 IAID . . . . . . . . . . . : 201335588
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-C2-3B-2E-00-23-24-AD-BB-E4
DNS Servers . . . . . . . . . . . : 8.8.8.8
192.168.240.1
NetBIOS over Tcpip. . . . . . . . : Disabled

PPP adapter Xzibit:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Xzibit
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.10.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:34f1:8072:20f3:30ea:f5f5:f5fa(Preferred)
Link-local IPv6 Address . . . . . : fe80::20f3:30ea:f5f5:f5fa%15(Preferred)
Default Gateway . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 587202560
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-C2-3B-2E-00-23-24-AD-BB-E4
NetBIOS over Tcpip. . . . . . . . : Disabled

Alan Ng'ethe · ‎04-22-2019

Thanks for these. I quickly labbed this setup, and ended up with results not much different than yours. For some reason the configuration of L2tp/IPSec does not 'allow' routes for the protected inside network to be pushed down to the Windows 8 client. The 'route print' results confirm that.

Some research i did is pointing me in the direction of manually adding static routes to the desired networks into the routing table of the Win8 client after the VPN is established. Its probably a shortcoming of the ppp or Win8 vpn client. I can see how this can be a nightmare in a large deployment, but at the moment it seems the only way to make it work. I haven't tried it myself, but will give it a go as soon as I have a chance. Please try it and advise on the outcome.

See the following link

Configuring Split Tunnel Client VPN

See also the VPN type:

L2TP/IPSEC PSK VPN

Note: There could be another way to make this work, and i hope somebody can offer a solution that's closer to the step by step guide done by Cisco that you shared earlier.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

Talha · ‎04-24-2019

Hi Alan,

Static route made the connection which is really awesome but the document states that every time VPN is brought up, static routes has to be added manually. I want to set it up for all users. is their any way I can put it automatically as soon as vpn is up?

Talha · ‎04-25-2019

I think I figured out the way to push command on startup using task scheduler. So I am good.

Thank you both for support

Appreciate it!

Georg Pauwen · ‎04-21-2019

Hello,

can you post the output of 'route print' from your Windows PC with the VPN connected and the 'Use default gateway on remote network' box checked, and with that box unchecked ?

Looking at your NAT, try and add the line in bold to the VPN pool network object:

ASA(config)#object network NETWORK_OBJ_10.10.10.0_26
ASA(config-network-object)# subnet 10.10.10.0 255.255.255.192
ASA(config-network-object)# nat (outside,outside) after-auto source dynamic NETWORK_OBJ_10.10.10.0_26 interface

Talha · ‎04-22-2019

Hi George,

Thanks for response.

I included the commands but did not find any difference

here is the route print when VPN is connected and Use default gateway on remote network is unchecked

===========================================================================
Interface List
3...0a 00 27 00 00 03 ......VirtualBox Host-Only Ethernet Adapter #2
9...00 23 24 ad bb e4 ......Intel(R) Ethernet Connection I217-LM
36...........................Xzibit
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.240.1 192.168.240.6 35
10.0.0.0 255.0.0.0 (Public IP) 10.10.10.5 36
10.10.10.5 255.255.255.255 On-link 10.10.10.5 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
192.168.240.0 255.255.255.0 On-link 192.168.240.6 291
192.168.240.6 255.255.255.255 On-link 192.168.240.6 291
192.168.240.255 255.255.255.255 On-link 192.168.240.6 291
207.35.32.94 255.255.255.255 192.168.240.1 192.168.240.6 36
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.240.6 291
224.0.0.0 240.0.0.0 On-link 10.10.10.5 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.240.6 291
255.255.255.255 255.255.255.255 On-link 10.10.10.5 291
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
15 331 ::/0 On-link
1 331 ::1/128 On-link
15 331 2001::/32 On-link
15 331 2001:0:34f1:8072:2070:30cf:30dc:dfb4/128
On-link
3 281 fe80::/64 On-link
9 291 fe80::/64 On-link
15 331 fe80::/64 On-link
15 331 fe80::2070:30cf:30dc:dfb4/128
On-link
9 291 fe80::9120:b98a:c39a:e98e/128
On-link
3 281 fe80::d410:2bbd:c9ad:495c/128
On-link
1 331 ff00::/8 On-link
3 281 ff00::/8 On-link
9 291 ff00::/8 On-link
15 331 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

route print when VPN is connected and Use default gateway on remote network is checked

===========================================================================
Interface List
3...0a 00 27 00 00 03 ......VirtualBox Host-Only Ethernet Adapter #2
9...00 23 24 ad bb e4 ......Intel(R) Ethernet Connection I217-LM
36...........................Xzibit
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.240.1 192.168.240.6 4260
0.0.0.0 0.0.0.0 On-link 10.10.10.5 36
10.10.10.5 255.255.255.255 On-link 10.10.10.5 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4556
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4556
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
192.168.56.0 255.255.255.0 On-link 192.168.56.1 4506
192.168.56.1 255.255.255.255 On-link 192.168.56.1 4506
192.168.56.255 255.255.255.255 On-link 192.168.56.1 4506
192.168.240.0 255.255.255.0 On-link 192.168.240.6 4516
192.168.240.6 255.255.255.255 On-link 192.168.240.6 4516
192.168.240.255 255.255.255.255 On-link 192.168.240.6 4516
207.35.32.94 255.255.255.255 192.168.240.1 192.168.240.6 4261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4556
224.0.0.0 240.0.0.0 On-link 192.168.56.1 4506
224.0.0.0 240.0.0.0 On-link 192.168.240.6 4516
224.0.0.0 240.0.0.0 On-link 10.10.10.5 36
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
255.255.255.255 255.255.255.255 On-link 192.168.56.1 4506
255.255.255.255 255.255.255.255 On-link 192.168.240.6 4516
255.255.255.255 255.255.255.255 On-link 10.10.10.5 291
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
15 331 ::/0 On-link
1 331 ::1/128 On-link
15 331 2001::/32 On-link
15 331 2001:0:34f1:8072:1c20:3eb6:f5f5:f5fa/128
On-link
3 281 fe80::/64 On-link
9 291 fe80::/64 On-link
15 331 fe80::/64 On-link
15 331 fe80::1c20:3eb6:f5f5:f5fa/128
On-link
9 291 fe80::9120:b98a:c39a:e98e/128
On-link
3 281 fe80::d410:2bbd:c9ad:495c/128
On-link
1 331 ff00::/8 On-link
3 281 ff00::/8 On-link
9 291 ff00::/8 On-link
15 331 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Talha · ‎04-22-2019

Hi George,

Thanks for response

I introduced the command you mentioned.

Please see the output after vpn connected and gateway option is unchecked

===========================================================================
Interface List
3...0a 00 27 00 00 03 ......VirtualBox Host-Only Ethernet Adapter #2
9...00 23 24 ad bb e4 ......Intel(R) Ethernet Connection I217-LM
36...........................Xzibit
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.240.1 192.168.240.6 35
10.0.0.0 255.0.0.0 207.35.32.xx 10.10.10.5 36
10.10.10.5 255.255.255.255 On-link 10.10.10.5 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
192.168.240.0 255.255.255.0 On-link 192.168.240.6 291
192.168.240.6 255.255.255.255 On-link 192.168.240.6 291
192.168.240.255 255.255.255.255 On-link 192.168.240.6 291
207.35.32.94 255.255.255.255 192.168.240.1 192.168.240.6 36
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.240.6 291
224.0.0.0 240.0.0.0 On-link 10.10.10.5 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.240.6 291
255.255.255.255 255.255.255.255 On-link 10.10.10.5 291
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
15 331 ::/0 On-link
1 331 ::1/128 On-link
15 331 2001::/32 On-link
15 331 2001:0:34f1:8072:2070:30cf:30dc:dfb4/128
On-link
3 281 fe80::/64 On-link
9 291 fe80::/64 On-link
15 331 fe80::/64 On-link
15 331 fe80::2070:30cf:30dc:dfb4/128
On-link
9 291 fe80::9120:b98a:c39a:e98e/128
On-link
3 281 fe80::d410:2bbd:c9ad:495c/128
On-link
1 331 ff00::/8 On-link
3 281 ff00::/8 On-link
9 291 ff00::/8 On-link
15 331 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

and Now when gate way option is checked

===========================================================================
Interface List
3...0a 00 27 00 00 03 ......VirtualBox Host-Only Ethernet Adapter #2
9...00 23 24 ad bb e4 ......Intel(R) Ethernet Connection I217-LM
36...........................Xzibit
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.240.1 192.168.240.6 4260
0.0.0.0 0.0.0.0 On-link 10.10.10.5 36
10.10.10.5 255.255.255.255 On-link 10.10.10.5 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4556
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4556
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
192.168.56.0 255.255.255.0 On-link 192.168.56.1 4506
192.168.56.1 255.255.255.255 On-link 192.168.56.1 4506
192.168.56.255 255.255.255.255 On-link 192.168.56.1 4506
192.168.240.0 255.255.255.0 On-link 192.168.240.6 4516
192.168.240.6 255.255.255.255 On-link 192.168.240.6 4516
192.168.240.255 255.255.255.255 On-link 192.168.240.6 4516
207.35.32.94 255.255.255.255 192.168.240.1 192.168.240.6 4261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4556
224.0.0.0 240.0.0.0 On-link 192.168.56.1 4506
224.0.0.0 240.0.0.0 On-link 192.168.240.6 4516
224.0.0.0 240.0.0.0 On-link 10.10.10.5 36
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
255.255.255.255 255.255.255.255 On-link 192.168.56.1 4506
255.255.255.255 255.255.255.255 On-link 192.168.240.6 4516
255.255.255.255 255.255.255.255 On-link 10.10.10.5 291
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
15 331 ::/0 On-link
1 331 ::1/128 On-link
15 331 2001::/32 On-link
15 331 2001:0:34f1:8072:2070:30cf:30dc:dfb4/128
On-link
3 281 fe80::/64 On-link
9 291 fe80::/64 On-link
15 331 fe80::/64 On-link
15 331 fe80::2070:30cf:30dc:dfb4/128
On-link
9 291 fe80::9120:b98a:c39a:e98e/128
On-link
3 281 fe80::d410:2bbd:c9ad:495c/128
On-link
1 331 ff00::/8 On-link
3 281 ff00::/8 On-link
9 291 ff00::/8 On-link
15 331 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Georg Pauwen · ‎04-23-2019

Hello,

it looks like with the box checked, you get two default routes, the one pointing to the VPN with a lower metric, so everything goes through there, which is the way it is supposed to work. With the box unchecked, the only the 10.0.0.0/8 network goes through the VPN, so that looks good as well.

Unchecked

0.0.0.0 0.0.0.0 192.168.240.1 192.168.240.6 35
10.0.0.0 255.0.0.0 (Public IP) 10.10.10.5 36

Checked

0.0.0.0 0.0.0.0 192.168.240.1 192.168.240.6 4260
0.0.0.0 0.0.0.0 On-link 10.10.10.5 36

What brand/model is your home router/modem ? Check if there is a setting to enable VPN Passthrough, and if there is, enable it...

Talha · ‎04-23-2019

Hi,

I will be connecting it to a client but as a test I am configuring it on my network. We have a fiber connection and asa is being configured as a front facing device.

Georg Pauwen · ‎04-23-2019

Hello,

I am not clear on what your topology looks like. Can you post a schematic drawing ? For the split VPN to work, the ASA needs to somehow be located at the other end of an Internet connection, I don't think you can properly test a VPN when the ASA is installed locally...

Talha · ‎04-24-2019

Hi George

ASA is installed on our test lab with public IP so its not local. When I added the static route as suggested by Alan its working.