cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
931
Views
0
Helpful
4
Replies

ASA L2TP/IPSEC VPN

sachinc01
Level 1
Level 1

Dear Team,

I have post my current ASA configuration I have able to take IP (192.168.100.1) through L2tp VPN but unable to reachable by LAN network (10.84.35.X & 192.168.20.0)can some one help me if any idea.

  

ciscoasa# show run
: Saved

:
: Serial Number: FCH16277Q4M
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname ciscoasa
domain-name global
enable password $sha512$5000$HtTDzR4z4asbLywM7Zbn+g==$nfh5a4WKJUGMnQUS0CBk2A== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool Address-pool 192.168.100.1-192.168.100.254 mask 255.255.255.0

!
interface GigabitEthernet0/0
description <<GTMH_Interface>>
<--- More ---> nameif GTMH_Outside
security-level 0
ip address XX.XX.XX.222 255.255.255.252
!
interface GigabitEthernet0/1
description <<Connected_Core_Switch>>
nameif Inside
security-level 100
ip address 10.84.35.209 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
<--- More ---> no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
<--- More ---> nameif management
security-level 0
ip address 10.10.10.1 255.255.255.252
!
ftp mode passive
dns domain-lookup GTMH_Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
domain-name global
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_10.84.35.0_24
subnet 10.84.35.0 255.255.255.0
object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
object network L2TP-Pool
subnet 192.168.100.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list SPLIT standard permit any4
pager lines 24
logging enable
logging asdm informational
<--- More ---> mtu GTMH_Outside 1500
mtu Inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Inside,GTMH_Outside) source static any any destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
nat (GTMH_Outside,GTMH_Outside) source dynamic any interface destination static NETWORK_OBJ_192.168.20.0_24 any
nat (Inside,GTMH_Outside) source dynamic OBJ_GENERIC_ALL interface
nat (Inside,GTMH_Outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup
route GTMH_Outside 0.0.0.0 0.0.0.0 XX.XX.XX.221 1
route Inside 192.168.20.0 255.255.255.0 10.84.35.210 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More ---> timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 10.10.10.1 255.255.255.255 management
http 10.84.35.209 255.255.255.255 Inside
http 10.84.35.208 255.255.255.252 Inside
http 192.168.20.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface GTMH_Outside
crypto ca trustpool policy
crypto ikev1 enable GTMH_Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
<--- More ---> lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy L2TP-VPN internal
group-policy L2TP-VPN attributes
dns-server value 8.8.8.8 4.4.4.2
vpn-tunnel-protocol l2tp-ipsec
default-domain value cisco.com
dynamic-access-policy-record DfltAccessPolicy
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
username cisco password $sha512$5000$Te2YXcKkqQNIptvyaX5BBQ==$B0WJ4EpzOvCXz3W6+Grqww== pbkdf2
username Cisco password $sha512$5000$Pbov22FU8EZKHiC0bpT5TA==$NBzvM77y5Fs6zzXK4pQ3Eg== pbkdf2
tunnel-group DefaultRAGroup general-attributes
address-pool Address-pool
default-group-policy L2TP-VPN
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
<--- More ---> no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
<--- More ---> inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
<--- More ---> destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e99f1eadd7f609f4d5a7c83d0956970f
: end
ciscoasa# conf    

 

L3 Switch Config as below :-

interface Vlan1
no ip address
!
interface Vlan901
ip address 192.168.20.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.84.35.209
ip http server


C 192.168.20.0/24 is directly connected, Vlan901
10.0.0.0/30 is subnetted, 1 subnets
C 10.84.35.208 is directly connected, GigabitEthernet1/0/1
S* 0.0.0.0/0 [1/0] via 10.84.35.209

 

Rs,Sachin

4 Replies 4

Hi,

If you are getting an IP, use packet trace to see if ASA allow the traffic.

**** please remember to rate useful posts

Dear Sir,

Thanks for replay  see below packet logs.

ciscoasa# packet-tracer input inside tcp 192.168.100.1 13 10.84.35.210 324

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.84.35.210 using egress ifc Inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 83742, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

ciscoasa# packet-tracer input gtmH_Outside tcp 192.168.100.1 13 192.168.20.20 324

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (GTMH_Outside,GTMH_Outside) source dynamic any interface destination static NETWORK_OBJ_192.168.20.0_24 any
Additional Information:
NAT divert to egress interface GTMH_Outside
Untranslate 192.168.20.20/324 to 0.0.0.0/324

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (GTMH_Outside,GTMH_Outside) source dynamic any interface destination static NETWORK_OBJ_192.168.20.0_24 any
Additional Information:
Dynamic translate 192.168.100.1/13 to X.X.X.222/13

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (GTMH_Outside,GTMH_Outside) source dynamic any interface destination static NETWORK_OBJ_192.168.20.0_24 any
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 84758, packet dispatched to next module

Result:
input-interface: GTMH_Outside
input-status: up
input-line-status: up
output-interface: GTMH_Outside
output-status: up
output-line-status: up
Action: allow


ciscoasa# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 103.113.87.221 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via X.X.X.221, GTMH_Outside
C 10.84.35.0 255.255.255.0 is directly connected, Inside
L X.X.X.209 255.255.255.255 is directly connected, Inside
CX.X.X.220 255.255.255.252 is directly connected, GTMH_Outside
L X.X.X.222 255.255.255.255 is directly connected, GTMH_Outside
S 192.168.20.0 255.255.255.0 [1/0] via 10.84.35.210, Inside
S 192.168.100.0 255.255.255.0 [1/0] via 10.84.35.210, GTMH_Outside
V 192.168.100.1 255.255.255.255
connected by VPN (advertised), GTMH_Outside

ciscoasa# packet-tracer input inside tcp 192.168.20.1 13 192.168.100.1 324

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.100.1 using egress ifc GTMH_Outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,GTMH_Outside) source dynamic OBJ_GENERIC_ALL interface
Additional Information:
Dynamic translate 192.168.20.1/13 to X.X.X.222/13

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: L2TP-PPP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: PPP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,GTMH_Outside) source dynamic OBJ_GENERIC_ALL interface
Additional Information:

Phase: 8
Type: L2TP-PPP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 85937, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: GTMH_Outside
output-status: up
output-line-status: up
Action: allow

 

Please suggest..

balaji.bandi
Hall of Fame
Hall of Fame

high level looking at the config. to reach network 192..168.,20.X  is behind the Layer 3 switch, not looked your ACL, just want to see if the routing is ok before we get in ACL.

 

ASA i see route pointed as below :

 

route Inside 192.168.20.0 255.255.255.0 10.84.35.210 1

 

But on Layer Switch point to point IP address 10.84.35.208

with the static route :

ip route 0.0.0.0 0.0.0.0 10.84.35.209

 

ASA need to send static route to right IP address, Hope this help you ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Dear Sir,

 

Thanks for your reference I have able to reach 192.168.20.X network machine  from firewall, also switch able to ping ASA,

Also 192.168.20.20 Machine able to access internet through ASA.

But From VPN Network session able to connect take IP (192.168.100.2 but don't reach  10.34.35.209 (ASA IP),10.84.35.210 (Switch IP)

 

Gateway of last resort is 10.84.35.209 to network 0.0.0.0

C 192.168.20.0/24 is directly connected, Vlan901
10.0.0.0/30 is subnetted, 1 subnets
C 10.84.35.208 is directly connected, GigabitEthernet1/0/1
S 192.168.100.0/24 [1/0] via 10.84.35.209
S* 0.0.0.0/0 [1/0] via 10.84.35.209
Switch#ping 10.84.35.210

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.84.35.210, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Switch#show ip int b
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES unset up down
Vlan901 192.168.20.1 YES manual up up
GigabitEthernet1/0/1 10.84.35.210 YES manual up up
GigabitEthernet1/0/2 unassigned YES unset down down

 

Please see attachment of VPN session.

Please help .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: