11-15-2011 11:27 AM - edited 02-21-2020 05:42 PM
Hi dear. i configurated ipsec vpn at cisco asa 5510. all them are working very well. now i want to change ipsec remote vpn to L2tp over ipsec.
i have router, asa and 3750 switch. all nat translation are done at router , ipsec vpn configurate at asa.
i passed some rrouter configuration.
interface GigabitEthernet0/0
ip address x.x.x.106 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description connect to ASA outside
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
standby delay minimum 20 reload 20
standby 10 ip 10.0.0.4
standby 10 priority 110
standby 10 preempt delay minimum 20 reload 20 sync 10
standby 10 name Redundancy
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat Stateful id 1
redundancy Redundancy
mapping-id 1
protocol udp
ip nat inside source static udp 10.0.0.2 500 x.x.1x.6 500 redundancy Redundancy mapping-id 1 extendable
ip nat inside source static udp 10.0.0.2 4500 x.x.x.6 4500 redundancy Redundancy mapping-id 1 extendable
ASA configuration:some config
i
nterface Ethernet0/0
description connect to RTR1 inside
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0 standby 10.0.0.3
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Split_Tunnel standard permit 172.16.10.0 255.255.255.0
access-list Split_Tunnel standard permit 172.30.30.0 255.255.255.0
access-list Split_Tunnel standard permit 192.168.193.0 255.255.255.0
access-list Split_Tunnel standard permit 10.10.1.0 255.255.255.0
access-list Split_Tunnel standard permit 192.168.200.0 255.255.255.0
access-list Split_Tunnel standard permit 172.30.60.0 255.255.255.0
access-list nonat_inside extended permit ip 192.168.193.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat_inside extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat_inside extended permit ip 172.30.60.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat_inside
nat (DMZ) 0 access-list nonat
aaa-server cosmoasa1 protocol radius
aaa-server cosmoasa1 (inside) host x.x.x.11
key cosmoasa1test
radius-common-pw cosmoasa1test
aaa authentication ssh console LOCAL
http server enable
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto dynamic-map DYN_MAP 10 set reverse-route
crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map VPN_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
telnet timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RAVPN internal
group-policy RAVPN attributes
dns-server value x.x.x.x
vpn-idle-timeout 45
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
default-domain value azercosmos.local
username cisco password HWFflA1bzYiq7Uut encrypted
username risk password 05of5udE1HAoaxcl encrypted
tunnel-group xxxx type remote-access
tunnel-group xxxx general-attributes
address-pool VPNPOOL
authentication-server-group cosmoasa1
default-group-policy RAVPN
tunnel-group xxxx ipsec-attributes
pre-shared-key *
this is my ipsec configuration. this is working config. as you see i do static nat asa outside ip for vpn at router. now i want l2tp over ipsec.
before i do it i have some question
1. must i do static nat port udp 1701 for l2tp over ipsec vpn? can i write access list at asa to open port 1701?
2. can i remove this static nat or i can not be change anything.is this nat is true for l2tp over ipsec vpn?
ip nat inside source static udp 10.0.0.2 500 1x.x.1x.6 500 redundancy Redundancy mapping-id 1 extendable
ip nat inside source static udp 10.0.0.2 4500 x.x.x.6 4500 redundancy Redundancy mapping-id 1 extendable
ip nat inside source static udp 10.0.0.2 1701 1x.x.x.6 1701 redundancy Redundancy mapping-id 1 extendable
3.as you see user authentication from radius server at ipsec vpn. i also want this is same as l2tp over ipsec vpn..
4. i think that i must be add this addtional config. is this true?
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
vpn-tunnel-protocol IPSec l2tp-ipsec
is this config enougth for l2tp over ipsec vpn?? what is addtional config i need??
please help me.
11-23-2011 05:04 AM
Hello
Please see the following link for a complete example, a much easier approach is to remove the IPSec config and then start the L2TP config, will confuse you less
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml
Regards
Farrukh
11-23-2011 05:33 AM
Thanks Dear Farrukh to answer me. i read this link before. i have exact questions.
1. as you see my configuration asa behind the nat device which is router at my topology. i read at cisco forum guys wrote:
L2tp over ipsec for an ASA behind a nat device is not usual configuration the ASA supports. is he rigth?
2.is it possibly i configurate split-tunnel at l2tp over ipsec vpn? is split-tunnel is work??
3.at ipsec vpn i wrote static nat and when i configurate l2tp over ipsec vpn which nat i must be write??
both of them?? or i write one or two of them?? i want to do static port translation.
ip nat inside source static udp 10.0.0.2 500 1x.x.1x.6 500 redundancy Redundancy mapping-id 1 extendable
ip nat inside source static udp 10.0.0.2 4500 x.x.x.6 4500 redundancy Redundancy mapping-id 1 extendable
ip nat inside source static udp 10.0.0.2 1701 1x.x.x.6 1701 redundancy Redundancy mapping-id 1 extendable
this is my question. please if you know answer help me.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide