01-15-2020 03:55 AM - edited 01-15-2020 04:18 AM
VPN: L2TP IPsec IKEv1 with split tunneling.
VPN Clients can connect and authenticate successfully but they lose access to the internet. Also the VPN clients can't ping the LAN IPs and don't have access to LAN PCs but it works from the LAN to VPN.
Internt IP: 192.168.2.85
LAN: 192.168.58.0/23
VPN Pool: 192.168.50.0/24
Can someone look at my config and point me in the right direction?
Thank you!
Edit: The router is currently being tested and placed in the private network behind another router. The VPN client connection was done from the private network that it is in the same network with WAN Asa. Can this be the problem? - the fact that it is not directly connected to the internet and was tested from the private network?
Solved! Go to Solution.
01-17-2020 05:52 AM
01-16-2020 08:06 AM
I put ASA directly on internet and now pings are working and I have access on LANs PC but still no internet over the split tunnel. Any ideas?
01-16-2020 08:16 AM - edited 01-16-2020 08:42 AM
Hi,
EDIT:Sorry I re-read, you are split-tunneling.
If you are split tunneling please provide the output from the "route details" tab in AnyConnect client.
From the cli of a computer connected to the VPN, can you resolve dns names? Run nslookup and provide the output for review.
HTH
01-16-2020 12:55 PM
can you nat command
!
object network obj_any
nat (outside,outside) dynamic interface
and check if this works
01-17-2020 03:21 AM - edited 01-17-2020 03:33 AM
Thank you guys! but still not working.
The DNS on the client VPN side works - the name are resolved.
I put the nat command and still not working. Here I can say that I have already have something very similar in config (any instead of outsede)
! object network obj_any nat (any,outside) dynamic interface !
Added for you the output for ipconfig and route print on the VPN client side; maybe it help.
01-17-2020 03:45 AM - edited 01-17-2020 04:17 AM
From that output all VPN traffic is routed through the VPN tunnel, so you aren't split-tunneling.
Please connect to the VPN, then provide the output of "show vpn-sessiondb detail anyconnect" from the ASA cli.
Also run packet-tracer and provide the output, e.g. "packet-tracer input outside tcp 192.168.50.5 3000 8.8.8.8 80" - EDIT: in fact this is only necessary if you wanted to find out why you cannot access the internet through the VPN tunnel. It won't help if your intention is still to split-tunnel.
01-17-2020 04:49 AM - edited 01-17-2020 05:19 AM
Thank you for your help!
Split tunnel was configured in ADSM wizard and I know I put the check box for split tunnel.
Here is the output:
ciscoasa# show vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
IKEv1 IPsec/L2TP IPsec : 1 : 3 : 1
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 3
Device Total VPN Capacity : 100
Device Load : 1%
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
IKEv1 : 1 : 3 : 1
IPsecOverNatT : 1 : 3 : 1
L2TPOverIPsecOverNatT : 1 : 3 : 1
---------------------------------------------------------------------------
Totals : 3 : 9
---------------------------------------------------------------------------
ciscoasa# show vpn-sessiondb ra-ikev1-ipsec
Session Type: IKEv1 IPsec
Username : mihai Index : 61421
Assigned IP : 192.168.50.1 Public IP : ***
Protocol : IKEv1 IPsecOverNatT L2TPOverIPsecOverNatT
License : Other VPN
Encryption : IKEv1: (1)3DES IPsecOverNatT: (1)AES128 L2TPOverIPsecOverNatT: (1)none
Hashing : IKEv1: (1)SHA1 IPsecOverNatT: (1)SHA1 L2TPOverIPsecOverNatT: (1)none
Bytes Tx : 15992 Bytes Rx : 69097
Group Policy : DefaultRAGroup Tunnel Group : DefaultRAGroup
Login Time : 14:22:11 EEST Fri Jan 17 2020
Duration : 0h:12m:19s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a83a010efed0005e21a6f3
Security Grp : none
ciscoasa# packet-tracer input outside tcp 192.168.50.5 3000 8.8.8.8 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop *.*.*.225 using egress ifc outside
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (any,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.50.5/3000 to *.*.*.227/3000
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list SFR
policy-map global_policy
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
nat (any,outside) dynamic interface
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa#
Looks like nat problem.
Should I delete:
object network obj_any
nat (any,outside) dynamic interface
and put
object network obj_any
nat (outside,outside) dynamic interface
or keep them both?
Edit: Tried both of above and still not internet.
01-17-2020 05:12 AM
01-17-2020 05:50 AM
ASA Version: 9.8(2)
I don't have anyconnect so I can't provide you the routes there. The connections is done with Windows built in VPN client.
LAN users have internet, only VPN users don't have.
I will reinstall the VPN without split-tunnel and see if it works.
Thank you guys!
01-17-2020 05:52 AM
01-17-2020 06:24 AM
Thank you RJI!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide