I think any any will create a

Arthur Rack · ‎05-07-2017

Hi, I have a problem with my RA VPN L2TP on ASA ver 9.6.

I have created an VPN L2TP over IPsec connection using a wizard. I can connect, I get an IP address, but I'cant reach internal resources.

I can ping all host in INSIDE network but can't connect to them. Can anyone help me with that ?

NAT looks like this:

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup

Where NETWORK_OBJ_172.16.1.0 is my VPN pool address

I have tried to see what is going on with Packet Tracer, but it shows that everything is fine :-/

ciscoasa# packet-tracer input outside tcp 172.16.1.100 3389 10.10.10.15 3389

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.19.19.2 using egress ifc inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 10.10.10.15/3389 to 10.10.10.15/3389

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group R1_access_in in interface outside
access-list R1_access_in extended permit object-group TCPUDP any4 10.10.0.0 255.255.0.0 eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
Additional Information:
Static translate 172.16.1.100/3389 to 172.16.1.100/3389

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match any
policy-map global_policy
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 333629257, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Any idea ?

Mohammed al Baqari · ‎05-07-2017

I think any any will create a problem especially that you aren't using global nat (you are natting in,out).

Try to specify one subnet in the inside and test with it.

Arthur Rack · ‎05-08-2017

I have done this:

nat (inside,outside) source static obj-10.10.0.0 obj-10.10.0.0 destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup

still nothing

can't access internal resource L2TP ipsec