Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
5
Replies

L2tp through ASA5506 at the remote site

peat
Level 1
Level 1

‎09-26-2018 09:12 AM - edited ‎09-26-2018 09:15 AM

I have a ASA5506 at my office and a guest from a different company is trying to connect to their VPN at their office but its failing to connect.

The VPNs i use going outwards all work fine with no ACLs or NAT (sophos VPN, cisco anyconnect) but theirs is windows VPN using L2TP.

 

I have set up ACLs and NATs to allow VPN traffic through before but that has only been my office side where people are VPN'ing in from their homes etc.  This time its a user trying to VPN from my network out to their office (which I have no knowledge of apart from I have the IP address they are VPN'ing to)

 

I cant get my head around what way I do the NAT and ACLs for this to work.

I know i need to pass through/allow UDP 4500, 500, 1701 and IP 50 for L2TP but that's about it.

 

I also have a router outside of the firewall so im guessing i need to double nat as well.

any help would be appreciated.

 

 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎09-26-2018 09:26 AM

Hi,
As far as NAT is concerned you probably don't need to create a specfic NAT for an outbound connection, it would just nat on your dynamic nat which all outbound traffic would hit.

I assume you've got an outbound ACL on the ASA (there isn't one as default). Can you upload your ACL configuration please?
0 Helpful

peat
Level 1
Level 1
In response to Rob Ingram

‎09-26-2018 09:32 AM

object-group service L2TP udp
port-object eq 1701
port-object eq 4500
port-object eq isakmp

access-list 101 extended permit udp any any object-group L2TP
access-list 101 extended permit esp any any
access-group 101 in interface WAN
0 Helpful

Rob Ingram
VIP
VIP
In response to peat

‎09-26-2018 09:35 AM

Isn't the direction of this VPN from inside the network to outside? I assume the inside interface is not called WAN?
0 Helpful

peat
Level 1
Level 1
In response to Rob Ingram

‎09-27-2018 01:30 AM

inside is call WIFI.
I have put those ACLs on the wifi interface now. Just have to wait for the user to come in to test.
fingers crossed! :)
0 Helpful

peat
Level 1
Level 1
In response to peat

‎10-01-2018 06:31 AM

This is config now and it doesnt work.   Neither direction ACLs are getting hit.

access-list WIFI_access_in extended permit udp any any object-group L2TP

access-list WIFI_access_in extended permit esp any any

access-list WIFI_access_in extended permit IP any any

 

access-list WIFI_access_out extended permit udp any any object-group L2TP

access-list WIFI_access_out extended permit esp any any

access-list WIFI_access_out extended permit IP any any

 

access-group WIFI_access_in in interface WIFI

access-group WIFI_access_out out interface WIFI

0 Helpful
Customers Also Viewed These Support Documents