08-28-2013 10:10 PM - edited 02-21-2020 07:07 PM
Guys we have remote windows machine which will use L2tP over IPSEC......i have successfully coinfigured it but i cant oing any network inside ASA.
I have few questions
My internal network connected to my inside is 192.168.1.0/24 (ip is 192.168.1.200/24)
I have created a local pool for remote user 192.168.1.1-192.168.1.2
can i use it as its overlapping.............my requirment is that when they conenct they shd be on same LAN and can use teh resources
My config is as below (Kindly see the NAT statement as well)
I can ping from firewall to client machine but cant from machine to internal network
ip local pool L2TP-Pool 192.168.1.1-192.168.1.10
ASA(config)# object network Internal-Subnet
ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA(config-network-object)# object network L2TP-Subnet
ASA(config-network-object)# subnet 192.168.1.0 255.255.255.224
nat (inside,outside) source static Internal-Subnet Internal-Subnet destination static L2TP-Subnet L2TP-Subnet no-proxy-arp route-lookup
ASA(config)# access-list Split-Tunnel-ACL standard permit 192.168.100.0 255.255.255.0
ASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
ASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport
ASA(config)# crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
ASA(config)# crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
ASA(config)# crypto map L2TP-VPN-MAP interface outside
ASA(config)# crypto ikev1 enable outside
ASA(config)# crypto ikev1 policy 5
ASA(config-ikev1-policy)# authentication pre-share
ASA(config-ikev1-policy)# encryption 3des
ASA(config-ikev1-policy)# hash sha
ASA(config-ikev1-policy)# group 2
ASA(config-ikev1-policy)# lifetime 86400
ASA(config-ikev1-policy)#
ASA(config)# group-policy L2TP-Policy internal
ASA(config)# group-policy L2TP-Policy attributes
ASA(config-group-policy)# vpn-tunnel-protocol l2tp-ipsec
ASA(config-group-policy)# split-tunnel-policy tunnelspecified
ASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel-ACL
ASA(config-group-policy)# intercept-dhcp enable
ASA(config-group-policy)# username petenetlive password password123 mschap
ASA(config)# tunnel-group DefaultRAGroup general-attributes
ASA(config-tunnel-general)# address-pool L2TP-Pool
ASA(config-tunnel-general)# default-group-policy L2TP-Policy
ASA(config-tunnel-general)# tunnel-group DefaultRAGroup ipsec-attributes
ASA(config-tunnel-ipsec)# ikev1 pre-shared-key 1234567890
ASA(config-tunnel-ipsec)# tunnel-group DefaultRAGroup ppp-attributes
ASA(config-ppp)# no authentication chap
ASA(config-ppp)# authentication ms-chap-v2
nat (inside,outside) source dynamic any interface
route outside 0.0.0.0 0.0.0.0 210.x.x.x.x
08-29-2013 12:54 AM
As long as the pool ip is not being used anywhere you can use pool with the same range.
are you able to ping the inside interface of the ASA?
Do a show run man and make sure inside interface is your managemnet interface.
Please let me know if you can ping your inside interface.
08-29-2013 01:40 AM
Correct the split tunnel ACL and check it out.
From
access-list Split-Tunnel-ACL standard permit 192.168.100.0 255.255.255.0
to
access-list Split-Tunnel-ACL standard permit 192.168.1.0 255.255.255.0
________________
Best regards,
MB
08-29-2013 02:12 AM
Sorry was typo the access list is 192.168.1.0/24 by mistake I have written 100 .....can you see what the issue is thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide