05-07-2017 09:29 AM - edited 02-21-2020 09:16 PM
Hi, I have a problem with my RA VPN L2TP on ASA ver 9.6.
I have created an VPN L2TP over IPsec connection using a wizard. I can connect, I get an IP address, but I'cant reach internal resources.
I can ping all host in INSIDE network but can't connect to them. Can anyone help me with that ?
NAT looks like this:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
Where NETWORK_OBJ_172.16.1.0 is my VPN pool address
I have tried to see what is going on with Packet Tracer, but it shows that everything is fine :-/
ciscoasa# packet-tracer input outside tcp 172.16.1.100 3389 10.10.10.15 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.19.19.2 using egress ifc inside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 10.10.10.15/3389 to 10.10.10.15/3389
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group R1_access_in in interface outside
access-list R1_access_in extended permit object-group TCPUDP any4 10.10.0.0 255.255.0.0 eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
Additional Information:
Static translate 172.16.1.100/3389 to 172.16.1.100/3389
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match any
policy-map global_policy
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 333629257, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Any idea ?
05-07-2017 10:43 PM
I think any any will create a problem especially that you aren't using global nat (you are natting in,out).
Try to specify one subnet in the inside and test with it.
05-08-2017 04:56 AM
I have done this:
nat (inside,outside) source static obj-10.10.0.0 obj-10.10.0.0 destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
still nothing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide