01-15-2015 02:43 PM
Hi all,
i am having this interesting problem that drives me crazy whole day. I have ASA 5505 (ver 9) where i configured site-to-site VPN to other router and that works. Then i configured L2TP IPsec VPN on ASA with split tunneling and i can reach my local network. The problem is when i am trying to reach that remote network that is behind that site-to-site VPN. Whatever i do, i am not able to reach that network. This same exact setup works on different ASA with AnyConnect VPN.
So this is what i did:
1) Add VPN subnet as 2nd SA to existing site-to-site VPN
2) Configured NAT exemption for VPN subnet when going to remote subnet
3) Published that remote subnet to VPN client.
This should do the trick as it does when AnyConnect is in question.
I'll paste few commands that are relevant:
ip local pool VPN_POOL 192.168.255.100-192.168.255.235 mask 255.255.255.0
object network L2TP-VPN-subnet
subnet 192.168.255.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.17.0 255.255.255.0 object Site-172.16.17.0
access-list outside_cryptomap extended permit ip 192.168.255.0 255.255.255.0 object Site-172.16.17.0
access-list Split-Tunnel-ACL standard permit 192.168.17.0 255.255.255.0
access-list Split-Tunnel-ACL standard permit 172.16.17.0 255.255.255.0
nat (inside,outside) source static inside-network inside-network destination static Site-172.16.17.0 Azure-172.16.17.0 no-proxy-arp
nat (inside,outside) source static inside-network inside-network destination static L2TP-VPN-subnet L2TP-VPN-subnet no-proxy-arp route-lookup
nat (inside,outside) source static L2TP-VPN-subnet L2TP-VPN-subnet destination static Site-172.16.17.0 Site-172.16.17.0 no-proxy-arp route-lookup
group-policy VPN_L2TP_IPSEC internal
group-policy VPN_L2TP_IPSEC attributes
dns-server value 172.16.17.4
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-ACL
default-domain value ****.com
split-dns value ****.com
intercept-dhcp 255.255.255.0 enable
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_POOL
default-group-policy VPN_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
Anyone managed to get this setup working? I am assuming i am missing some minor details here but i can't see what. Maybe this can't work with L2TP?
Solved! Go to Solution.
01-16-2015 02:40 AM
Hello, Damir Reic.
What for are you using NAT for L2TP-VPN? Split tunneling is helping your users go to internet direcrly so you don't need to use NAT. Also it can be a source of the problem because NAT works before site-to-site VPN. So traffic from your remote users could be changed by NAT and the source IP address of this traffic wi'll be different. And because of this it's not hiting rules of your site-to-site VPN.
01-16-2015 02:24 AM
And the problem was:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
After i did this it started to work.
01-16-2015 02:40 AM
Hello, Damir Reic.
What for are you using NAT for L2TP-VPN? Split tunneling is helping your users go to internet direcrly so you don't need to use NAT. Also it can be a source of the problem because NAT works before site-to-site VPN. So traffic from your remote users could be changed by NAT and the source IP address of this traffic wi'll be different. And because of this it's not hiting rules of your site-to-site VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide