Re: ASA L2TP IPSEC VPN almost working just need help with acls a

chrism · ‎05-02-2011

I’m configuring an L2TP IPSEC VPN on a 5505 asa so that windows 7 clients can natively connect. It connects correctly during Phase 1 and 2, but I can’t ping anything or access resources on the internal network. This is my first time working with an ASA. I pretty sure the issue is with my ACL’s and Nat. Any help or direction would be greatly appreciated.

Master# sh run

: Saved

:

ASA Version 8.2(2)

!

hostname Master

domain-name service.local

enable password cp2LDyhbv2A7RRA1 encrypted

passwd cp2LDyhbv2A7RRA1 encrypted

names

dns-guard

ddns update method immediate

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 71.xxx.xxx.xxx 255.255.255.0

!

interface Vlan3

no nameif

security-level 0

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name service.local

dns server-group InsideDNS

retries 10

name-server 192.168.1.3

domain-name service.local

object-group network VPNGroup

description VPN Client Network

network-object 172.16.1.0 255.255.255.240

object-group network LAN

description Inside subnet

network-object 192.168.1.0 255.255.255.0

access-list outside extended permit icmp any any

access-list outside extended permit tcp any host 71.xxx.xxx.xxx eq www

access-list outside extended permit tcp any host 71.xxx.xxx.xxx eq 987

access-list outside extended permit tcp any host 71.xxx.xxx.xxx eq smtp

access-list outside extended permit tcp any host 71.xxx.xxx.xxx eq https

access-list outside extended permit tcp object-group ExchangeDefender host 71.xxx.xxx.xxx eq smtp

access-list outside_access_in extended permit tcp any interface outside eq 2002

access-list outside_access_in extended permit tcp any interface outside eq 2003

access-list outside_access_in extended permit tcp any interface outside eq 2004

access-list outside_access_in extended permit tcp any interface outside eq 211

access-list outside_access_in extended permit tcp any interface outside eq 212

access-list outside_access_in extended permit tcp any interface outside eq 8099

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.240

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_dyn_map extended permit ip any 172.16.1.0 255.255.255.240

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool clientVPNpool 172.16.1.1-172.16.1.7 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255

static (inside,outside) tcp interface 987 192.168.1.3 987 netmask 255.255.255.255

static (inside,outside) tcp interface 2002 192.168.1.89 2002 netmask 255.255.255.255

static (inside,outside) tcp interface 2003 192.168.1.89 2003 netmask 255.255.255.255

static (inside,outside) tcp interface 2004 192.168.1.89 2004 netmask 255.255.255.255

static (inside,outside) tcp interface 211 192.168.1.109 211 netmask 255.255.255.255

static (inside,outside) tcp interface 212 192.168.1.109 212 netmask 255.255.255.255

static (inside,outside) tcp interface 8099 192.168.1.109 8099 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable 8888

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set aes128sha esp-aes esp-sha-hmac

crypto ipsec transform-set aes128sha mode transport

crypto ipsec transform-set aes256sha esp-aes-256 esp-sha-hmac

crypto ipsec transform-set aes256sha mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_3DES_MD5 aes128sha aes256sha

crypto map outside_map 65000 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh xxx.xxx.xxx.xxx 255.255.255.240 outside

ssh xxx.xxx.xxx.xxx 255.255.255.252 outside

ssh timeout 60

console timeout 0

l2tp tunnel hello 100

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.1.200

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

nem enable

username aaaa password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted

username aaaa attributes

vpn-group-policy DefaultRAGroup

username xxx password 1pNN62joqKywU7Xq encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool clientVPNpool

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

!

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:5aceabc8259c2c7bd5cfd069a05b8aef

chrism · ‎05-03-2011

Do I need to add a route inside 172.16.1.0 255.255.255.240

192.168.1.254?

chrism · ‎05-06-2011

Should I take the split tunnel statements out. I was reading another post were they said it was not compatible with l2tp? I'm still not having any success accessing resources or pinging interface any help or direction would be appreciated.

ASA L2TP IPSEC VPN almost working just need help with acls and nat