- Cisco Community
- Technology and Support
- Security
- VPN
- ASA5505 IKEv1 l2tp/ipsec (windows clients) VPN strange behaviour
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA5505 IKEv1 l2tp/ipsec (windows clients) VPN strange behaviour
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2018 02:42 AM - edited 03-12-2019 05:30 AM
I have a strange problem. VPN was created using ASDM wizard. (IKEv1 l2tp/ipsec - windows clients).
Clients can connect, but cannot access inside network except for 2 first clients which can connect and access inside network.
Can someone solve this or at least point me in the right direction?
Configuration is as follows:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)33
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool def_ip_pool 192.168.1.50-192.168.1.150 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.10.2 255.255.255.0
!
boot system disk0:/asa924-33-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.10.1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network srv_https_443_tcp
host 192.168.1.214
object network srv_dns_53_tcp
host 192.168.1.214
object network srv_http_80_tcp
host 192.168.1.214
object network srv_pop3_110_tcp
host 192.168.1.214
object network srv_smtp_25_tcp
host 192.168.1.214
object network srv_http_80_udp
host 192.168.1.214
object network srv_dns_53_udp
host 192.168.1.214
object network srv_smtp_587_tcp
host 192.168.1.214
object network srv_ssh_9898_tcp
host 192.168.1.99
object network srv_http_88_tcp
host 192.168.1.247
object network srv_ssh_22_tcp
host 192.168.1.10
object network srv_http_88_udp
host 192.168.1.247
object network internal
range 192.168.1.1 192.168.1.254
object network external
host 83.238.213.194
object network server-internal
host 192.168.1.214
object network server-external
host 83.238.213.194
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object srv_dns_53_tcp
network-object object srv_dns_53_udp
object-group network DM_INLINE_NETWORK_2
network-object object srv_http_80_tcp
network-object object srv_http_80_udp
object-group network DM_INLINE_NETWORK_3
network-object object srv_http_88_tcp
network-object object srv_http_88_udp
object-group network DM_INLINE_NETWORK_4
network-object object srv_smtp_25_tcp
network-object object srv_smtp_587_tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 587
port-object eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any object srv_https_443_tcp e
q https
access-list outside_access_in extended permit object-group TCPUDP any object-gro
up DM_INLINE_NETWORK_1 eq domain
access-list outside_access_in extended permit object-group TCPUDP any object-gro
up DM_INLINE_NETWORK_2 eq www
access-list outside_access_in extended permit object-group TCPUDP any object-gro
up DM_INLINE_NETWORK_3 eq 88
access-list outside_access_in extended permit tcp any object srv_pop3_110_tcp eq
pop3
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NET
WORK_4 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object srv_ssh_22_tcp eq s
sh
access-list outside_access_in extended permit tcp any object srv_ssh_9898_tcp eq
9898
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,inside) source static internal external destination static server-ex
ternal server-internal
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16
8.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network srv_https_443_tcp
nat (inside,outside) static interface service tcp https https
object network srv_dns_53_tcp
nat (inside,outside) static interface service tcp domain domain
object network srv_http_80_tcp
nat (inside,outside) static interface service tcp www www
object network srv_pop3_110_tcp
nat (inside,outside) static interface service tcp pop3 pop3
object network srv_smtp_25_tcp
nat (inside,outside) static interface service tcp smtp smtp
object network srv_http_80_udp
nat (inside,outside) static interface service udp www www
object network srv_dns_53_udp
nat (inside,outside) static interface service udp domain domain
object network srv_smtp_587_tcp
nat (inside,outside) static interface service tcp 587 587
object network srv_ssh_9898_tcp
nat (inside,outside) static interface service tcp 9898 9898
object network srv_http_88_tcp
nat (inside,outside) static interface service tcp 88 88
object network srv_ssh_22_tcp
nat (inside,outside) static interface service tcp ssh ssh
object network srv_http_88_udp
nat (inside,outside) static interface service udp 88 88
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A
ES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-
SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES
-SHA-TRANS
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.50-192.168.1.150 inside
dhcpd dns 192.168.1.214 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect image disk0:/anyconnect-linux64-4.5.05030-webdeploy-k9.pkg 1 regex "
Linux"
anyconnect image disk0:/anyconnect-macos-4.5.05030-webdeploy-k9.pkg 3 regex "In
tel Mac OS X"
anyconnect image disk0:/anyconnect-win-4.5.05030-webdeploy-k9.pkg 5 regex "Wind
ows NT"
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 137.74.1.152 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
username saper password 2uIFflBu0d0Ec/vuUz0gng== nt-encrypted privilege 0
username saper attributes
vpn-group-policy DefaultRAGroup
username mirek password otSfN+PxfYGGAfx8GM3c6A== nt-encrypted privilege 0
username mirek attributes
vpn-group-policy DefaultRAGroup
username mariusz password FNTkvagFy1NWp7G+4TcItw== nt-encrypted privilege 0
username mariusz attributes
vpn-group-policy DefaultRAGroup
username maciek password VGpfh5JARc1O1ULfOYaHKg== nt-encrypted privilege 0
username maciek attributes
vpn-group-policy DefaultRAGroup
username consiliaris6 password OfZ23iouwcMaCQ+2AZApcQ== nt-encrypted
username consiliaris6 attributes
vpn-group-policy DefaultRAGroup
username consiliaris4 password mCZk6C01YzUjhlOgBMSROg== nt-encrypted
username consiliaris4 attributes
vpn-group-policy DefaultRAGroup
username consiliaris5 password aIz7pG2bDSM7EXbKtyYdUA== nt-encrypted
username consiliaris5 attributes
vpn-group-policy DefaultRAGroup
username consiliaris2 password Ymr8hmExr5s+BQy3CNAslQ== nt-encrypted
username consiliaris2 attributes
vpn-group-policy DefaultRAGroup
username consiliaris3 password Y/G2IYNoVXECD3dL/ZZlOA== nt-encrypted
username consiliaris3 attributes
vpn-group-policy DefaultRAGroup
username consiliaris1 password 5SFojnYT6VuyeizjixpSLQ== nt-encrypted
username consiliaris1 attributes
vpn-group-policy DefaultRAGroup
username henryk password hHTuWTSkaGcw1lUCJi/ROA== nt-encrypted privilege 0
username henryk attributes
vpn-group-policy DefaultRAGroup
username aniar password tkY3UbSBPjbp4kyKwgqPMA== nt-encrypted privilege 0
username aniar attributes
vpn-group-policy DefaultRAGroup
username andrzej password LhfDNQngJhIIN4QnL4ImBA== nt-encrypted privilege 0
username andrzej attributes
vpn-group-policy DefaultRAGroup
username aniaf password g9Wm4P7+dbT0qvU3RhXkbg== nt-encrypted privilege 0
username aniaf attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool def_ip_pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map global_policy
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
- Labels:
-
Other VPN Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2018 02:53 AM
If the first 2 connections are successful, it's sound like a license restriction which is limiting you to 2 vpn connections. What license do you have?
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2018 02:55 AM
25 vpn connections of any kind
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide