Showing results for 
Search instead for 
Did you mean: 

L2TP Passthrough ASA 5510

Hi there,

I was hoping someone could help? I am trying to set up an L2TP VPN the actual VPN server is running on a windows server on my internal LAN I simply want to pass connections from clients outside the network through an ASA 5510 on the perimeter.

I can confirm the server side config on the windows box is correct as I have tested by connecting to it via L2TP from a client on the inside with no problems. With connections from Windows PCs on the outside I get the following error:

A sanitized version of my ASA Config is below:

hostname CustomerASA
enable password mzQdMUfMe3JpS6Jz encrypted
passwd cfdtRgP86KiRsmfE encrypted
name PonchoSBS
interface Ethernet0/0
description ######## Customer Internal LAN ##########
nameif LAN-Customer
security-level 80
ip address
interface Ethernet0/1
description ######## CustLan2 Internal LAN ########
nameif LAN-CustLan2
security-level 80
ip address
interface Ethernet0/2
description ######## LAN CustLan3 ########
nameif LAN-CustLan3
security-level 80
ip address
interface Ethernet0/3
description ######## Outside ISP Interface ########
nameif Outside
security-level 0
ip address
interface Management0/0
description ######## Management Access Only ########
nameif Management
security-level 100
ip address
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
same-security-traffic permit inter-interface
object network PonchoSBS
object network LAN-Customer
object network LAN-CustLan2
object network LAN-CustLan3
object service RDP
service tcp destination eq 3389
object network MgmtNAT
description MgmtNAT
object network PonchoSBS_EXTERNAL
object network Outside_Int_IP
object network Science_Server_25
object network Science_Server_443
object network Science_Server_80
object network VS-Proxy
object network VS-DC
object network VS-Exchange2013
object network spamfilter1
object network spamfilter10
object network spamfilter11
object network spamfilter12
object network spamfilter13
object network spamfilter14
object network spamfilter2
object network spamfilter3
object network spamfilter4
object network spamfilter5
object network spamfilter6
object network spamfilter7
object network spamfilter8
object network spamfilter9
object network company
object service LDAP
service tcp destination eq ldap
object network VS-DC-LDAP
description LDAP for DC - spamfilter Communication.
object service IKE
service udp source range 1 65535 destination eq isakmp
description IKE
object service IPSecESP
service esp
description IPSec ESP
object service IPsecNAT-T
service udp source range 1 65535 destination eq 4500
description IPSec NAT-T
object network VS_EXCHANGE2013_Int
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq https
service-object tcp destination eq pptp
service-object esp
service-object ah
object-group service DM_INLINE_TCP_2 tcp
port-object eq 85
port-object eq www
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object LDAP
object-group service L2TP
service-object object IKE
service-object object IPSecESP
service-object object IPsecNAT-T
service-object tcp-udp destination eq 1701
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network spamfilter
network-object object spamfilter1
network-object object spamfilter2
network-object object spamfilter4
network-object object spamfilter5
network-object object spamfilter6
network-object object spamfilter10
network-object object spamfilter11
network-object object spamfilter12
network-object object spamfilter13
network-object object spamfilter14
network-object object spamfilter3
network-object object spamfilter7
network-object object spamfilter8
network-object object spamfilter9
network-object object company
object-group network DM_INLINE_NETWORK_3
network-object object Outside_Int_IP
network-object object PonchoSBS_EXTERNAL
access-list Outside_access extended permit object-group DM_INLINE_SERVICE_1 any object VS-Exchange2013
access-list Outside_access extended permit tcp any host object-gr oup DM_INLINE_TCP_1 inactive
access-list Outside_access extended permit tcp object-group spamfilter object VS-E xchange2013 eq smtp
access-list Outside_access extended permit object-group L2TP any object VS-Excha nge2013
access-list Outside_access extended permit object-group DM_INLINE_SERVICE_2 obje ct-group spamfilter object VS-DC-LDAP
access-list Outside_access extended permit tcp any host object-gr oup DM_INLINE_TCP_2
access-list Outside_access extended permit ip object LAN-Customer 32 inactive
access-list LAN-Customer_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu LAN-Customer 1500
mtu LAN-CustLan2 1500
mtu LAN-CustLan3 1500
mtu Outside 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any LAN-CustLan3
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
object network LAN-Customer
nat (LAN-Customer,Outside) dynamic interface
object network LAN-CustLan2
nat (LAN-CustLan2,Outside) dynamic interface
object network LAN-CustLan3
nat (LAN-CustLan3,Outside) dynamic interface
object network MgmtNAT
nat (Management,Outside) dynamic interface
object network Science_Server_25
nat (LAN-Customer,Outside) static interface service tcp smtp smtp
object network Science_Server_443
nat (LAN-Customer,Outside) static interface service tcp https https
object network Science_Server_80
nat (LAN-Customer,Outside) static interface service tcp www www
object network VS-Proxy
nat (LAN-Customer,Outside) static interface service tcp www 81
object network VS-Exchange2013
nat (any,any) static
object network VS-DC-LDAP
nat (any,Outside) static interface service tcp ldap ldap
access-group LAN-Customer_access_in in interface LAN-Customer
access-group Outside_access in interface Outside
route Outside 5
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 4443
http Management
http LAN-Customer
http Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh LAN-Customer
ssh Outside
ssh Management
ssh timeout 5
console timeout 0
dhcpd address LAN-CustLan2
dhcpd dns interface LAN-CustLan2
dhcpd enable LAN-CustLan2
dhcpd address LAN-CustLan3
dhcpd dns interface LAN-CustLan3
dhcpd enable LAN-CustLan3
dhcpd address Management
dhcpd enable Management
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username company password /dOQN1XOcOofMIyT encrypted privilege 15
username admin password x4VzqNDubhe0TkYT encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
service-policy global_policy global
prompt hostname context
: end

Any assistance with what is wrong would be greatly appreciated. The packet tracer both in the ASDM GUI and from ther terminal would suggest that the ACLs and NAT are working fine it is just that the connections therough the ASA do not complete.

Thanks very much,