Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1760
Views
0
Helpful
4
Replies

Cisco ASA VPN L2TP with Windows and MacOS native vpn clients cannot access internet, but intranet works.

Go to solution
pwanderoy
Level 1
Level 1

‎03-13-2018 02:28 PM - edited ‎03-12-2019 05:06 AM

Hi,

Native vpn client to ASA connect and Intranet access works like a charm, but I cannot get Internet access to work.

 

This is my fw setup

 

:

ASA Version 9.9(1)

!

hostname XX-GW

domain-name XX-konsulterna.com

enable password ”Very secret stuff”

names

ip local pool L2TP-Pool 192.168.100.0-192.168.100.254 mask 255.255.255.0

 

!

interface GigabitEthernet1/1

description Internet via hobos

nameif outside

security-level 0

ip address 999.888.777.666 255.255.255.252

!

interface GigabitEthernet1/2

bridge-group 1

nameif inside_1

security-level 100

!

interface GigabitEthernet1/3

bridge-group 1

nameif inside_2

security-level 100

!

interface GigabitEthernet1/4

bridge-group 1

nameif inside_3

security-level 100

!

interface GigabitEthernet1/5

bridge-group 1

nameif inside_4

security-level 100

!

interface GigabitEthernet1/6

bridge-group 1

nameif inside_5

security-level 100

!

interface GigabitEthernet1/7

bridge-group 1

nameif inside_6

security-level 100

!

interface GigabitEthernet1/8

description Trunk to Switch 1

no nameif

security-level 100

no ip address

!

interface GigabitEthernet1/8.2

vlan 2

nameif INSIDE-AP

security-level 50

ip address 10.10.75.1 255.255.255.0

!

interface GigabitEthernet1/8.5

vlan 5

nameif XX

security-level 50

ip address 10.10.0.1 255.255.255.0

!

interface GigabitEthernet1/8.10

vlan 10

nameif XX-Guests

security-level 25

ip address 10.10.10.1 255.255.255.0

!

interface Management1/1

management-only

nameif Manage

security-level 100

ip address 10.10.100.1 255.255.255.0

!

interface BVI1

description Inside

nameif inside

security-level 100

ip address 10.10.5.1 255.255.255.0

!

boot system disk0:/asa991-lfbff-k8.SPA

ftp mode passive

dns server-group DefaultDNS

domain-name XX-konsulterna.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network AP1_WLC

host 10.10.75.5

object network XX-Konsulterna

subnet 10.10.0.0 255.255.255.0

description XX-Konsulterna

object network Link2hobos

subnet 84.217.118.16 255.255.255.252

description Internet via Link2hobos

object network Synology_server

host 10.10.0.40

object network obj-192.168.100.0

subnet 192.168.100.0 255.255.255.0

object network L2TP-Pool

subnet 192.168.100.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 10.10.0.0 255.255.255.0

network-object 10.10.5.0 255.255.255.0

network-object 10.10.75.0 255.255.255.0

object-group network DM_INLINE_NETWORK_3

network-object 10.10.100.0 255.255.255.0

network-object 10.10.5.0 255.255.255.0

network-object 10.10.75.0 255.255.255.0

network-object object XX-Konsulterna

object-group network DM_INLINE_NETWORK_4

network-object 10.10.0.0 255.255.255.0

network-object 10.10.100.0 255.255.255.0

network-object 10.10.5.0 255.255.255.0

network-object 10.10.75.0 255.255.255.0

object-group service ds918-sync tcp

description 6690-TCP

port-object eq 6690

access-list ToSW_access_in extended permit ip any any

access-list XX-Data_access_in extended permit ip object XX-Konsulterna 10.10.5.0 255.255.255.0

access-list XX-Data_access_in extended permit ip object XX-Konsulterna any log

access-list XX-Data_access_in extended permit ip 10.10.0.0 255.255.255.0 any log

access-list ToSW1_access_in extended permit ip any any

access-list INSIDE-AP_access_in extended permit ip any any

access-list XX-Guest_access_in extended permit ip 10.10.10.0 255.255.255.0 any log

access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.0.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.5.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.75.0 255.255.255.0

access-list inbound extended permit tcp any object Synology_server eq 6690 log errors

access-list inbound remark DROP RULE!

access-list inbound extended deny ip any any log notifications

access-list XX_access_in extended permit ip any any log notifications

access-list XX-Guests_access_in remark DROP all access to XX networks and logg!

access-list XX-Guests_access_in extended deny ip any any4

access-list XX-Guests_access_in extended permit ip any any4

pager lines 24

logging enable

logging asdm debugging

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu inside_3 1500

mtu inside_4 1500

mtu inside_5 1500

mtu inside_6 1500

mtu INSIDE-AP 1500

mtu XX 1500

mtu XX-Guests 1500

mtu Manage 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-791.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

nat (INSIDE-AP,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup

nat (outside,outside) source static any any destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup

nat (XX,outside) source static any any destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup

!

object network obj_any

nat (inside_1,outside) dynamic interface

object network Synology_server

nat (XX,outside) static interface service tcp 6690 6690

object network obj-192.168.100.0

nat (outside,outside) dynamic interface

!

nat (INSIDE-AP,outside) after-auto source dynamic any interface

nat (XX,outside) after-auto source dynamic any interface

nat (XX-Guests,outside) after-auto source dynamic any interface

access-group inbound in interface outside

access-group INSIDE-AP_access_in in interface INSIDE-AP

access-group XX_access_in in interface XX

access-group XX-Guests_access_in in interface XX-Guests

route outside 0.0.0.0 0.0.0.0 XX.217.118.17 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication login-history

http server enable

http 10.10.100.0 255.255.255.0 Manage

 

http 10.10.0.0 255.255.255.0 XX

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=XX-GW.XX-konsulterna.com

keypair ASDM_LAUNCHER

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0

enrollment self

fqdn none

subject-name CN=10.10.0.1,CN=XX-GW

keypair ASDM_LAUNCHER

crl configure

crypto ca trustpool policy

crypto ca server

shutdown

keysize 2048

keysize server 2048

crypto ca certificate chain ASDM_TrustPoint0

certificate 93b8615a

    Crypto stuff

  quit

crypto ikev1 enable outside

crypto ikev1 policy 5

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.10.0.0 255.255.255.0 XX

telnet timeout 5

ssh stricthostkeycheck

 

ssh 10.10.0.0 255.255.255.0 XX

ssh 10.10.100.0 255.255.255.0 Manage

ssh timeout 30

ssh version 2

ssh cipher encryption high

ssh cipher integrity high

ssh key-exchange group dh-group14-sha1

console timeout 0

management-access inside

no ipv6-vpn-addr-assign aaa

no ipv6-vpn-addr-assign local

 

dhcpd address 10.10.75.50-10.10.75.100 INSIDE-AP

dhcpd enable INSIDE-AP

!

dhcpd address 10.10.0.50-10.10.0.254 XX

dhcpd ping_timeout 750 interface XX

dhcpd domain XX-konsulterna.com interface XX

!

dhcpd address 10.10.10.50-10.10.10.100 XX-Guests

dhcpd dns XX.247.0.27 XX.247.0.29 interface XX-Guests

dhcpd ping_timeout 750 interface XX-Guests

dhcpd enable XX-Guests

!

dhcpd address 10.10.100.5-10.10.100.254 Manage

dhcpd enable Manage

!

dhcpd address 10.10.5.50-10.10.5.254 inside

dhcpd dns 999.247.0.27 999.247.0.29 interface inside

dhcpd ping_timeout 750 interface inside

dhcpd domain XX-konsulterna.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 193.11.166.2 source outside

ntp server 193.11.166.18 source outside

ssl server-version tlsv1.2

ssl client-version tlsv1.2

ssl cipher default custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

ssl dh-group group24

ssl ecdh-group group21

ssl trust-point ASDM_Launcher_Access_TrustPoint_0 XX

ssl trust-point ASDM_Launcher_Access_TrustPoint_0 XX vpnlb-ip

webvpn

enable outside

cache

  disable

error-recovery disable

group-policy DefaultRAGroup internal

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless

group-policy L2TP-VPN internal

group-policy L2TP-VPN attributes

dns-server value 10.10.0.10

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value XX-konsulterna.com

dynamic-access-policy-record DfltAccessPolicy

password-policy minimum-length 8

password-policy username-check

username testson password ”Very secret stuff” nt-encrypted

 

tunnel-group DefaultRAGroup general-attributes

address-pool L2TP-Pool

default-group-policy L2TP-VPN

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

Cryptochecksum:a47adf06010e457328e51c8fc2e9e9d7

: end

asdm image disk0:/asdm-791.bin

asdm history enable

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GioGonza
Level 4
Level 4
In response to pwanderoy

‎03-14-2018 06:32 AM

Hello @pwanderoy,

 

I forgot to mention you need to add the following: 

 

nat (outside,outside) 1 source dynamic L2TP-Pool interface 

 

HTH

Gio

View solution in original post

0 Helpful
4 Replies 4

Go to solution
GioGonza
Level 4
Level 4

‎03-13-2018 03:16 PM

Hello @pwanderoy

 

You need to configure *intercept-dhcp enable* under your group-policy:

 

group-policy DefaultRAGroup attributes

group-policy DefaultRAGroup attributes

dns-server value 10.10.0.10

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value XX-konsulterna.com

split-tunnel-policy tunnelspecified

intercept-dhcp enable

 

You need to perform some changes on the PC, you need to have the *Use default gateway on remote network* box unchecked.  This is found under the advanced tab of TCP/IP properties for the VPN Client.   Select VPN Client > Properties > Networking > Internet Protocol TCP/IP > Properties > Advanced and clear the check box.

 

HTH

Gio

0 Helpful

Go to solution
pwanderoy
Level 1
Level 1
In response to GioGonza

‎03-14-2018 01:47 AM

Tried it, but I have had some help and ...

 

todays running config is

 

hostname XX-GW
domain-name xx-konsulterna.com
enable password 
ip local pool L2TP-Pool 192.168.100.0-192.168.100.254 mask 255.255.255.0

!
interface GigabitEthernet1/1
 description Internet via Ownit
 nameif outside
 security-level 0
 ip address xxx.217.118.xx 255.255.255.252 
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 description Trunk to Switch 1
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/8.2
 vlan 2
 nameif INSIDE-AP
 security-level 50
 ip address 10.10.75.1 255.255.255.0 
!
interface GigabitEthernet1/8.5
 vlan 5
 nameif 5D
 security-level 50
 ip address 10.10.0.1 255.255.255.0 
!
interface GigabitEthernet1/8.10
 vlan 10
 nameif 5D-Guests
 security-level 25
 ip address 10.10.10.1 255.255.255.0 
!
interface Management1/1
 management-only
 nameif Manage
 security-level 100
 ip address 10.10.100.1 255.255.255.0 
!
interface BVI1
 description Inside
 nameif inside
 security-level 100
 ip address 10.10.5.1 255.255.255.0 
!
boot system disk0:/asa991-lfbff-k8.SPA
ftp mode passive
dns server-group DefaultDNS
 domain-name xx-konsulterna.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network AP1_WLC
 host 10.10.75.5
object network xx-Konsulterna
 subnet 10.10.0.0 255.255.255.0
 description xx-Konsulterna
object network Link2Ownit
 subnet xx.217.118.xx 255.255.255.252
 description Internet via Link2Ownit
object network Synology_server
 host 10.10.0.40
object network obj-192.168.100.0
 subnet 192.168.100.0 255.255.255.0
object network L2TP-Pool
 subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
 subnet 192.168.100.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
 network-object object xx-Konsulterna
 network-object object obj_any
object-group network DM_INLINE_NETWORK_2
 network-object 10.10.0.0 255.255.255.0
 network-object 10.10.5.0 255.255.255.0
 network-object 10.10.75.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object 10.10.100.0 255.255.255.0
 network-object 10.10.5.0 255.255.255.0
 network-object 10.10.75.0 255.255.255.0
 network-object object 5D-Konsulterna
object-group network DM_INLINE_NETWORK_4
 network-object 10.10.0.0 255.255.255.0
 network-object 10.10.100.0 255.255.255.0
 network-object 10.10.5.0 255.255.255.0
 network-object 10.10.75.0 255.255.255.0
object-group service ds918-sync tcp
 description 6690-TCP
 port-object eq 6690
access-list ToSW_access_in extended permit ip any any 
access-list xx-Data_access_in extended permit ip object xx-Konsulterna 10.10.5.0 255.255.255.0 
access-list xx-Data_access_in extended permit ip object xx-Konsulterna any log 
access-list xx-Data_access_in extended permit ip 10.10.0.0 255.255.255.0 any log 
access-list ToSW1_access_in extended permit ip any any 
access-list INSIDE-AP_access_in extended permit ip any any 
access-list xx-Guest_access_in extended permit ip 10.10.10.0 255.255.255.0 any log 
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.0.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.5.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.75.0 255.255.255.0 
access-list inbound extended permit tcp any object Synology_server eq 6690 log errors 
access-list inbound remark DROP RULE!
access-list inbound extended permit ip object obj-192.168.100.0 any log notifications 
access-list inbound extended deny ip any any log 
access-list xx_access_in extended permit ip any any 
access-list xx-Guests_access_in extended permit ip any4 any4 
access-list xx-Guests_access_in remark DROP all access to 5D networks and logg!
access-list xx-Guests_access_in extended deny ip any any4 
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 10.10.5.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 10.10.75.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 10.10.0.0 255.255.255.0 
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu INSIDE-AP 1500
mtu xx 1500
mtu xx-Guests 1500
mtu Manage 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (INSIDE-AP,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup
nat (xx,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup
nat (outside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside_1,outside) dynamic interface
object network Synology_server
 nat (xx,outside) static interface service tcp 6690 6690 
!
nat (outside,outside) after-auto source dynamic any interface
nat (INSIDE-AP,outside) after-auto source dynamic any interface
nat (xx,outside) after-auto source dynamic any interface
nat (xx-Guests,outside) after-auto source dynamic any interface
access-group inbound in interface outside
access-group INSIDE-AP_access_in in interface INSIDE-AP
access-group xx-Guests_access_in in interface 5D-Guests
route outside 0.0.0.0 0.0.0.0 xx.217.118.xx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authentication login-history
http server enable
http 10.10.100.0 255.255.255.0 Manage
http 10.10.0.0 255.255.255.0 xx
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=5D-GW.xx-konsulterna.com
 keypair ASDM_LAUNCHER
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=10.10.0.1,CN=xx-GW
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca server 
 shutdown
 keysize 2048
 keysize server 2048
crypto ca certificate chain ASDM_TrustPoint0
 certificate 93b8615a
    Crypto stuff
  quit
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.10.0.0 255.255.255.0 xx
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.0.0 255.255.255.0 xx
ssh 10.10.100.0 255.255.255.0 Manage
ssh timeout 30
ssh version 2
ssh cipher encryption high
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access inside
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local

dhcpd address 10.10.75.50-10.10.75.100 INSIDE-AP
dhcpd enable INSIDE-AP
!
dhcpd address 10.10.0.50-10.10.0.254 xx
dhcpd ping_timeout 750 interface xx
dhcpd domain 5d-konsulterna.se interface xx
!
dhcpd address 10.10.10.50-10.10.10.100 xx-Guests
dhcpd dns 37.247.0.27 37.247.0.29 interface xx-Guests
dhcpd ping_timeout 750 interface xx-Guests
dhcpd enable xx-Guests
!
dhcpd address 10.10.100.5-10.10.100.254 Manage
dhcpd enable Manage
!
dhcpd address 10.10.5.50-10.10.5.254 inside
dhcpd dns 37.247.0.27 37.247.0.29 interface inside
dhcpd ping_timeout 750 interface inside
dhcpd domain XX-konsulterna.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 193.11.166.2 source outside
ntp server 193.11.166.18 source outside
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl dh-group group24
ssl ecdh-group group21
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 xx
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 xx vpnlb-ip
webvpn
 enable outside
 cache
  disable
 error-recovery disable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.10.0.10
 vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value xx-konsulterna.com
 intercept-dhcp enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec ssl-clientless
group-policy L2TP-VPN internal
group-policy L2TP-VPN attributes
 dns-server value 10.10.0.10
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
 default-domain value XX-konsulterna.com
dynamic-access-policy-record DfltAccessPolicy
password-policy minimum-length 8
password-policy username-check
username testson password xxxxxxxx nt-encrypted
username testson attributes
 service-type remote-access
tunnel-group DefaultRAGroup general-attributes
 address-pool L2TP-Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:f952391996584ac04f9f6513b3ee9c49
: end
asdm image disk0:/asdm-791.bin
asdm history enable


 

Result of change is intranet okay, but no Internet access with vpn up 

0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to pwanderoy

‎03-14-2018 06:32 AM

Hello @pwanderoy,

 

I forgot to mention you need to add the following: 

 

nat (outside,outside) 1 source dynamic L2TP-Pool interface 

 

HTH

Gio

0 Helpful

Go to solution
pwanderoy
Level 1
Level 1
In response to GioGonza

‎03-14-2018 10:14 AM

Big thanks GioGonza!

Everything is now up and working as is was intended thanks to you help.

 

 

0 Helpful
Customers Also Viewed These Support Documents