03-13-2018 02:28 PM - edited 03-12-2019 05:06 AM
Hi,
Native vpn client to ASA connect and Intranet access works like a charm, but I cannot get Internet access to work.
This is my fw setup
:
ASA Version 9.9(1)
!
hostname XX-GW
domain-name XX-konsulterna.com
enable password ”Very secret stuff”
names
ip local pool L2TP-Pool 192.168.100.0-192.168.100.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
description Internet via hobos
nameif outside
security-level 0
ip address 999.888.777.666 255.255.255.252
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
description Trunk to Switch 1
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8.2
vlan 2
nameif INSIDE-AP
security-level 50
ip address 10.10.75.1 255.255.255.0
!
interface GigabitEthernet1/8.5
vlan 5
nameif XX
security-level 50
ip address 10.10.0.1 255.255.255.0
!
interface GigabitEthernet1/8.10
vlan 10
nameif XX-Guests
security-level 25
ip address 10.10.10.1 255.255.255.0
!
interface Management1/1
management-only
nameif Manage
security-level 100
ip address 10.10.100.1 255.255.255.0
!
interface BVI1
description Inside
nameif inside
security-level 100
ip address 10.10.5.1 255.255.255.0
!
boot system disk0:/asa991-lfbff-k8.SPA
ftp mode passive
dns server-group DefaultDNS
domain-name XX-konsulterna.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network AP1_WLC
host 10.10.75.5
object network XX-Konsulterna
subnet 10.10.0.0 255.255.255.0
description XX-Konsulterna
object network Link2hobos
subnet 84.217.118.16 255.255.255.252
description Internet via Link2hobos
object network Synology_server
host 10.10.0.40
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network L2TP-Pool
subnet 192.168.100.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.10.0.0 255.255.255.0
network-object 10.10.5.0 255.255.255.0
network-object 10.10.75.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 10.10.100.0 255.255.255.0
network-object 10.10.5.0 255.255.255.0
network-object 10.10.75.0 255.255.255.0
network-object object XX-Konsulterna
object-group network DM_INLINE_NETWORK_4
network-object 10.10.0.0 255.255.255.0
network-object 10.10.100.0 255.255.255.0
network-object 10.10.5.0 255.255.255.0
network-object 10.10.75.0 255.255.255.0
object-group service ds918-sync tcp
description 6690-TCP
port-object eq 6690
access-list ToSW_access_in extended permit ip any any
access-list XX-Data_access_in extended permit ip object XX-Konsulterna 10.10.5.0 255.255.255.0
access-list XX-Data_access_in extended permit ip object XX-Konsulterna any log
access-list XX-Data_access_in extended permit ip 10.10.0.0 255.255.255.0 any log
access-list ToSW1_access_in extended permit ip any any
access-list INSIDE-AP_access_in extended permit ip any any
access-list XX-Guest_access_in extended permit ip 10.10.10.0 255.255.255.0 any log
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.0.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.5.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.75.0 255.255.255.0
access-list inbound extended permit tcp any object Synology_server eq 6690 log errors
access-list inbound remark DROP RULE!
access-list inbound extended deny ip any any log notifications
access-list XX_access_in extended permit ip any any log notifications
access-list XX-Guests_access_in remark DROP all access to XX networks and logg!
access-list XX-Guests_access_in extended deny ip any any4
access-list XX-Guests_access_in extended permit ip any any4
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu INSIDE-AP 1500
mtu XX 1500
mtu XX-Guests 1500
mtu Manage 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (INSIDE-AP,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup
nat (outside,outside) source static any any destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup
nat (XX,outside) source static any any destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup
!
object network obj_any
nat (inside_1,outside) dynamic interface
object network Synology_server
nat (XX,outside) static interface service tcp 6690 6690
object network obj-192.168.100.0
nat (outside,outside) dynamic interface
!
nat (INSIDE-AP,outside) after-auto source dynamic any interface
nat (XX,outside) after-auto source dynamic any interface
nat (XX-Guests,outside) after-auto source dynamic any interface
access-group inbound in interface outside
access-group INSIDE-AP_access_in in interface INSIDE-AP
access-group XX_access_in in interface XX
access-group XX-Guests_access_in in interface XX-Guests
route outside 0.0.0.0 0.0.0.0 XX.217.118.17 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 10.10.100.0 255.255.255.0 Manage
http 10.10.0.0 255.255.255.0 XX
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=XX-GW.XX-konsulterna.com
keypair ASDM_LAUNCHER
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.10.0.1,CN=XX-GW
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
keysize 2048
keysize server 2048
crypto ca certificate chain ASDM_TrustPoint0
certificate 93b8615a
Crypto stuff
quit
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.0.0 255.255.255.0 XX
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.0.0 255.255.255.0 XX
ssh 10.10.100.0 255.255.255.0 Manage
ssh timeout 30
ssh version 2
ssh cipher encryption high
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access inside
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd address 10.10.75.50-10.10.75.100 INSIDE-AP
dhcpd enable INSIDE-AP
!
dhcpd address 10.10.0.50-10.10.0.254 XX
dhcpd ping_timeout 750 interface XX
dhcpd domain XX-konsulterna.com interface XX
!
dhcpd address 10.10.10.50-10.10.10.100 XX-Guests
dhcpd dns XX.247.0.27 XX.247.0.29 interface XX-Guests
dhcpd ping_timeout 750 interface XX-Guests
dhcpd enable XX-Guests
!
dhcpd address 10.10.100.5-10.10.100.254 Manage
dhcpd enable Manage
!
dhcpd address 10.10.5.50-10.10.5.254 inside
dhcpd dns 999.247.0.27 999.247.0.29 interface inside
dhcpd ping_timeout 750 interface inside
dhcpd domain XX-konsulterna.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 193.11.166.2 source outside
ntp server 193.11.166.18 source outside
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl dh-group group24
ssl ecdh-group group21
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 XX
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 XX vpnlb-ip
webvpn
enable outside
cache
disable
error-recovery disable
group-policy DefaultRAGroup internal
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
group-policy L2TP-VPN internal
group-policy L2TP-VPN attributes
dns-server value 10.10.0.10
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value XX-konsulterna.com
dynamic-access-policy-record DfltAccessPolicy
password-policy minimum-length 8
password-policy username-check
username testson password ”Very secret stuff” nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP-Pool
default-group-policy L2TP-VPN
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:a47adf06010e457328e51c8fc2e9e9d7
: end
asdm image disk0:/asdm-791.bin
asdm history enable
Solved! Go to Solution.
03-14-2018 06:32 AM
Hello @pwanderoy,
I forgot to mention you need to add the following:
nat (outside,outside) 1 source dynamic L2TP-Pool interface
HTH
Gio
03-13-2018 03:16 PM
Hello @pwanderoy,
You need to configure *intercept-dhcp enable* under your group-policy:
group-policy DefaultRAGroup attributes
group-policy DefaultRAGroup attributes
dns-server value 10.10.0.10
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value XX-konsulterna.com
split-tunnel-policy tunnelspecified
intercept-dhcp enable
You need to perform some changes on the PC, you need to have the *Use default gateway on remote network* box unchecked. This is found under the advanced tab of TCP/IP properties for the VPN Client. Select VPN Client > Properties > Networking > Internet Protocol TCP/IP > Properties > Advanced and clear the check box.
HTH
Gio
03-14-2018 01:47 AM
Tried it, but I have had some help and ...
todays running config is
hostname XX-GW domain-name xx-konsulterna.com enable password ip local pool L2TP-Pool 192.168.100.0-192.168.100.254 mask 255.255.255.0 ! interface GigabitEthernet1/1 description Internet via Ownit nameif outside security-level 0 ip address xxx.217.118.xx 255.255.255.252 ! interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100 ! interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100 ! interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100 ! interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100 ! interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100 ! interface GigabitEthernet1/8 description Trunk to Switch 1 no nameif security-level 100 no ip address ! interface GigabitEthernet1/8.2 vlan 2 nameif INSIDE-AP security-level 50 ip address 10.10.75.1 255.255.255.0 ! interface GigabitEthernet1/8.5 vlan 5 nameif 5D security-level 50 ip address 10.10.0.1 255.255.255.0 ! interface GigabitEthernet1/8.10 vlan 10 nameif 5D-Guests security-level 25 ip address 10.10.10.1 255.255.255.0 ! interface Management1/1 management-only nameif Manage security-level 100 ip address 10.10.100.1 255.255.255.0 ! interface BVI1 description Inside nameif inside security-level 100 ip address 10.10.5.1 255.255.255.0 ! boot system disk0:/asa991-lfbff-k8.SPA ftp mode passive dns server-group DefaultDNS domain-name xx-konsulterna.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network AP1_WLC host 10.10.75.5 object network xx-Konsulterna subnet 10.10.0.0 255.255.255.0 description xx-Konsulterna object network Link2Ownit subnet xx.217.118.xx 255.255.255.252 description Internet via Link2Ownit object network Synology_server host 10.10.0.40 object network obj-192.168.100.0 subnet 192.168.100.0 255.255.255.0 object network L2TP-Pool subnet 192.168.100.0 255.255.255.0 object network NETWORK_OBJ_192.168.100.0_24 subnet 192.168.100.0 255.255.255.0 object-group network DM_INLINE_NETWORK_1 network-object object xx-Konsulterna network-object object obj_any object-group network DM_INLINE_NETWORK_2 network-object 10.10.0.0 255.255.255.0 network-object 10.10.5.0 255.255.255.0 network-object 10.10.75.0 255.255.255.0 object-group network DM_INLINE_NETWORK_3 network-object 10.10.100.0 255.255.255.0 network-object 10.10.5.0 255.255.255.0 network-object 10.10.75.0 255.255.255.0 network-object object 5D-Konsulterna object-group network DM_INLINE_NETWORK_4 network-object 10.10.0.0 255.255.255.0 network-object 10.10.100.0 255.255.255.0 network-object 10.10.5.0 255.255.255.0 network-object 10.10.75.0 255.255.255.0 object-group service ds918-sync tcp description 6690-TCP port-object eq 6690 access-list ToSW_access_in extended permit ip any any access-list xx-Data_access_in extended permit ip object xx-Konsulterna 10.10.5.0 255.255.255.0 access-list xx-Data_access_in extended permit ip object xx-Konsulterna any log access-list xx-Data_access_in extended permit ip 10.10.0.0 255.255.255.0 any log access-list ToSW1_access_in extended permit ip any any access-list INSIDE-AP_access_in extended permit ip any any access-list xx-Guest_access_in extended permit ip 10.10.10.0 255.255.255.0 any log access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.0.0 255.255.255.0 access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.5.0 255.255.255.0 access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.75.0 255.255.255.0 access-list inbound extended permit tcp any object Synology_server eq 6690 log errors access-list inbound remark DROP RULE! access-list inbound extended permit ip object obj-192.168.100.0 any log notifications access-list inbound extended deny ip any any log access-list xx_access_in extended permit ip any any access-list xx-Guests_access_in extended permit ip any4 any4 access-list xx-Guests_access_in remark DROP all access to 5D networks and logg! access-list xx-Guests_access_in extended deny ip any any4 access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 10.10.5.0 255.255.255.0 access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 10.10.75.0 255.255.255.0 access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 10.10.0.0 255.255.255.0 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns pager lines 24 logging enable logging asdm debugging mtu outside 1500 mtu inside_1 1500 mtu inside_2 1500 mtu inside_3 1500 mtu inside_4 1500 mtu inside_5 1500 mtu inside_6 1500 mtu INSIDE-AP 1500 mtu xx 1500 mtu xx-Guests 1500 mtu Manage 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-791.bin asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (INSIDE-AP,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup nat (xx,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup nat (outside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup ! object network obj_any nat (inside_1,outside) dynamic interface object network Synology_server nat (xx,outside) static interface service tcp 6690 6690 ! nat (outside,outside) after-auto source dynamic any interface nat (INSIDE-AP,outside) after-auto source dynamic any interface nat (xx,outside) after-auto source dynamic any interface nat (xx-Guests,outside) after-auto source dynamic any interface access-group inbound in interface outside access-group INSIDE-AP_access_in in interface INSIDE-AP access-group xx-Guests_access_in in interface 5D-Guests route outside 0.0.0.0 0.0.0.0 xx.217.118.xx 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication login-history http server enable http 10.10.100.0 255.255.255.0 Manage http 10.10.0.0 255.255.255.0 xx no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport crypto ipsec security-association pmtu-aging infinite crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=5D-GW.xx-konsulterna.com keypair ASDM_LAUNCHER proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self fqdn none subject-name CN=10.10.0.1,CN=xx-GW keypair ASDM_LAUNCHER crl configure crypto ca trustpool policy crypto ca server shutdown keysize 2048 keysize server 2048 crypto ca certificate chain ASDM_TrustPoint0 certificate 93b8615a Crypto stuff quit crypto ikev1 enable outside crypto ikev1 policy 5 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 10.10.0.0 255.255.255.0 xx telnet timeout 5 ssh stricthostkeycheck ssh 10.10.0.0 255.255.255.0 xx ssh 10.10.100.0 255.255.255.0 Manage ssh timeout 30 ssh version 2 ssh cipher encryption high ssh cipher integrity high ssh key-exchange group dh-group14-sha1 console timeout 0 management-access inside no ipv6-vpn-addr-assign aaa no ipv6-vpn-addr-assign local dhcpd address 10.10.75.50-10.10.75.100 INSIDE-AP dhcpd enable INSIDE-AP ! dhcpd address 10.10.0.50-10.10.0.254 xx dhcpd ping_timeout 750 interface xx dhcpd domain 5d-konsulterna.se interface xx ! dhcpd address 10.10.10.50-10.10.10.100 xx-Guests dhcpd dns 37.247.0.27 37.247.0.29 interface xx-Guests dhcpd ping_timeout 750 interface xx-Guests dhcpd enable xx-Guests ! dhcpd address 10.10.100.5-10.10.100.254 Manage dhcpd enable Manage ! dhcpd address 10.10.5.50-10.10.5.254 inside dhcpd dns 37.247.0.27 37.247.0.29 interface inside dhcpd ping_timeout 750 interface inside dhcpd domain XX-konsulterna.com interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics host number-of-rate 2 threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 193.11.166.2 source outside ntp server 193.11.166.18 source outside ssl server-version tlsv1.2 ssl client-version tlsv1.2 ssl cipher default custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" ssl dh-group group24 ssl ecdh-group group21 ssl trust-point ASDM_Launcher_Access_TrustPoint_0 xx ssl trust-point ASDM_Launcher_Access_TrustPoint_0 xx vpnlb-ip webvpn enable outside cache disable error-recovery disable group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 10.10.0.10 vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl default-domain value xx-konsulterna.com intercept-dhcp enable group-policy DfltGrpPolicy attributes vpn-tunnel-protocol l2tp-ipsec ssl-clientless group-policy L2TP-VPN internal group-policy L2TP-VPN attributes dns-server value 10.10.0.10 vpn-tunnel-protocol ikev1 l2tp-ipsec default-domain value XX-konsulterna.com dynamic-access-policy-record DfltAccessPolicy password-policy minimum-length 8 password-policy username-check username testson password xxxxxxxx nt-encrypted username testson attributes service-type remote-access tunnel-group DefaultRAGroup general-attributes address-pool L2TP-Pool default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context no call-home reporting anonymous hpm topN enable Cryptochecksum:f952391996584ac04f9f6513b3ee9c49 : end asdm image disk0:/asdm-791.bin asdm history enable
Result of change is intranet okay, but no Internet access with vpn up
03-14-2018 06:32 AM
Hello @pwanderoy,
I forgot to mention you need to add the following:
nat (outside,outside) 1 source dynamic L2TP-Pool interface
HTH
Gio
03-14-2018 10:14 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide