cisco ASA 5505 l2tp vpnpix 501 - site to site vpn subnet problemCisco PIX 8.0.4, static address mapping not working?Cisco VPN Client Behind ASA 5505IOS Port Forwarding and NAT involving a VPNCisco IOS Router and Azure VPN - tunnel established, but traffic is not flowingSonicOS Enhanced 5.8.1.2 L2TP VPN Authentication FailedHow can I connect to a Cisco ASA5540 from Windows Server 2012 over IPSEC?Can't establish site to site vpn connection between Cisco 3900 and strongSwan clientCisco VPN dynamic crypto-mapConfiguring L2TP/IPSec on Cisco Router 2911
Imbalanced dataset binary classification
How to move the player while also allowing forces to affect it
Wild Shape Centaur Into a Giant Elk: do their Charges stack?
How would photo IDs work for shapeshifters?
What to wear for invited talk in Canada
aging parents with no investments
Are cabin dividers used to "hide" the flex of the airplane?
Mapping arrows in commutative diagrams
Why is the design of haulage companies so “special”?
Check if two datetimes are between two others
I see my dog run
What kind of transistor turns on with 0.2 volts?
Is it legal to have the "// (c) 2019 John Smith" header in all files when there are hundreds of contributors?
What is GPS' 19 year rollover and does it present a cybersecurity issue?
Is every set a filtered colimit of finite sets?
Is Fable (1996) connected in any way to the Fable franchise from Lionhead Studios?
Pristine Bit Checking
Was there ever an axiom rendered a theorem?
Can I interfere when another PC is about to be attacked?
Does the average primeness of natural numbers tend to zero?
Some basic questions on halt and move in Turing machines
How is it possible for user's password to be changed after storage was encrypted? (on OS X, Android)
What is the offset in a seaplane's hull?
A newer friend of my brother's gave him a load of baseball cards that are supposedly extremely valuable. Is this a scam?
cisco ASA 5505 l2tp vpn
pix 501 - site to site vpn subnet problemCisco PIX 8.0.4, static address mapping not working?Cisco VPN Client Behind ASA 5505IOS Port Forwarding and NAT involving a VPNCisco IOS Router and Azure VPN - tunnel established, but traffic is not flowingSonicOS Enhanced 5.8.1.2 L2TP VPN Authentication FailedHow can I connect to a Cisco ASA5540 from Windows Server 2012 over IPSEC?Can't establish site to site vpn connection between Cisco 3900 and strongSwan clientCisco VPN dynamic crypto-mapConfiguring L2TP/IPSec on Cisco Router 2911
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
1
I have a problem with cisco asa 5505 vpn configuration. I set l2tp for windows clients. I can connect to vpn but:
when i have "use default gateway on remote network" on NIC enabled i have access to all resources in network but i don't have internet access (can't open websites etc).
when i have "use default gateway on remote network" on NIC disabled i dont have access to resources in network but i have internet access.
In my config file there is a little mess i tried to use ASDM and tried to configure Cisco Anyconnect but those lines in config aren't important and don't work. My VPN subnet is 192.168.20.0 and I need only l2tp for windows. If someone wants to help here is my config:
Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
enable password xxx encrypted
names
ip local pool poolVPN 192.168.20.10-192.168.20.30 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address xxx.xxx.xxx.26 255.255.255.248
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network branch1
subnet 192.168.2.0 255.255.255.0
object network branch2
subnet 192.168.1.0 255.255.255.0
object network branch3
subnet 192.168.3.0 255.255.255.0
object network branch4
subnet 192.168.4.0 255.255.255.0
object network branch5
subnet 192.168.5.0 255.255.255.0
object network central
subnet 192.168.0.0 255.255.255.0
object network dmz-subnet
subnet 192.168.100.0 255.255.255.0
object network camera-monitoring-ip
host xxx.xxx.xxx.27
object network cameras
host 192.168.100.1
object network NETWORK_OBJ_192.168.20.0_27
subnet 192.168.20.0 255.255.255.224
access-list oudside_acl extended permit tcp any object cameras eq www
access-list outside_acl extended permit tcp any object cameras eq www
access-list dmz_int extended permit tcp host 192.168.100.1 eq www any
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
!
object network branch1
nat (inside,outside) dynamic interface
object network branch2
nat (inside,outside) dynamic interface
object network branch3
nat (inside,outside) dynamic interface
object network branch4
nat (inside,outside) dynamic interface
object network branch5
nat (inside,outside) dynamic interface
object network central
nat (inside,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network cameras
nat (dmz,outside) static cameras-monitoring-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_int in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.25 1
route inside 192.168.1.0 255.255.255.0 192.168.0.170 1
route inside 192.168.2.0 255.255.255.0 192.168.0.170 1
route inside 192.168.3.0 255.255.255.0 192.168.0.170 1
route inside 192.168.4.0 255.255.255.0 192.168.0.170 1
route inside 192.168.5.0 255.255.255.0 192.168.0.170 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair xxxxx
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 9gfdrfss
fdfasfd vczvc
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPNanyconnect_client_profile disk0:/VPNanyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxxx
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxx.local
group-policy GroupPolicy_VPNanyconnect internal
group-policy GroupPolicy_VPNanyconnect attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol ikev2
default-domain value xxx.local
webvpn
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxx68c1xxx5dbef0baxxxf2378e540
: end
no asdm history enable
Thanks for reply.
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0 group-policy
DefaultRAGroup internal group-policy
DefaultRAGroup attributes wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxxx
yeah i did split tunneling before as shown in tutorial but it doesn't work. I added ACL and ACE, restarted router. No idea what's wrong here...
cisco cisco-asa l2tp
edited Nov 21 '14 at 18:00
Michael Hampton♦
174k27319644
asked Nov 20 '14 at 16:01
begginerbegginer
61
add a comment |
1
I have a problem with cisco asa 5505 vpn configuration. I set l2tp for windows clients. I can connect to vpn but:
when i have "use default gateway on remote network" on NIC enabled i have access to all resources in network but i don't have internet access (can't open websites etc).
when i have "use default gateway on remote network" on NIC disabled i dont have access to resources in network but i have internet access.
In my config file there is a little mess i tried to use ASDM and tried to configure Cisco Anyconnect but those lines in config aren't important and don't work. My VPN subnet is 192.168.20.0 and I need only l2tp for windows. If someone wants to help here is my config:
Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
enable password xxx encrypted
names
ip local pool poolVPN 192.168.20.10-192.168.20.30 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address xxx.xxx.xxx.26 255.255.255.248
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network branch1
subnet 192.168.2.0 255.255.255.0
object network branch2
subnet 192.168.1.0 255.255.255.0
object network branch3
subnet 192.168.3.0 255.255.255.0
object network branch4
subnet 192.168.4.0 255.255.255.0
object network branch5
subnet 192.168.5.0 255.255.255.0
object network central
subnet 192.168.0.0 255.255.255.0
object network dmz-subnet
subnet 192.168.100.0 255.255.255.0
object network camera-monitoring-ip
host xxx.xxx.xxx.27
object network cameras
host 192.168.100.1
object network NETWORK_OBJ_192.168.20.0_27
subnet 192.168.20.0 255.255.255.224
access-list oudside_acl extended permit tcp any object cameras eq www
access-list outside_acl extended permit tcp any object cameras eq www
access-list dmz_int extended permit tcp host 192.168.100.1 eq www any
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
!
object network branch1
nat (inside,outside) dynamic interface
object network branch2
nat (inside,outside) dynamic interface
object network branch3
nat (inside,outside) dynamic interface
object network branch4
nat (inside,outside) dynamic interface
object network branch5
nat (inside,outside) dynamic interface
object network central
nat (inside,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network cameras
nat (dmz,outside) static cameras-monitoring-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_int in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.25 1
route inside 192.168.1.0 255.255.255.0 192.168.0.170 1
route inside 192.168.2.0 255.255.255.0 192.168.0.170 1
route inside 192.168.3.0 255.255.255.0 192.168.0.170 1
route inside 192.168.4.0 255.255.255.0 192.168.0.170 1
route inside 192.168.5.0 255.255.255.0 192.168.0.170 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair xxxxx
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 9gfdrfss
fdfasfd vczvc
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPNanyconnect_client_profile disk0:/VPNanyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxxx
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxx.local
group-policy GroupPolicy_VPNanyconnect internal
group-policy GroupPolicy_VPNanyconnect attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol ikev2
default-domain value xxx.local
webvpn
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxx68c1xxx5dbef0baxxxf2378e540
: end
no asdm history enable
Thanks for reply.
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0 group-policy
DefaultRAGroup internal group-policy
DefaultRAGroup attributes wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxxx
yeah i did split tunneling before as shown in tutorial but it doesn't work. I added ACL and ACE, restarted router. No idea what's wrong here...
cisco cisco-asa l2tp
edited Nov 21 '14 at 18:00
Michael Hampton♦
174k27319644
asked Nov 20 '14 at 16:01
begginerbegginer
61
add a comment |
1
1
1
I have a problem with cisco asa 5505 vpn configuration. I set l2tp for windows clients. I can connect to vpn but:
when i have "use default gateway on remote network" on NIC enabled i have access to all resources in network but i don't have internet access (can't open websites etc).
when i have "use default gateway on remote network" on NIC disabled i dont have access to resources in network but i have internet access.
In my config file there is a little mess i tried to use ASDM and tried to configure Cisco Anyconnect but those lines in config aren't important and don't work. My VPN subnet is 192.168.20.0 and I need only l2tp for windows. If someone wants to help here is my config:
Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
enable password xxx encrypted
names
ip local pool poolVPN 192.168.20.10-192.168.20.30 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address xxx.xxx.xxx.26 255.255.255.248
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network branch1
subnet 192.168.2.0 255.255.255.0
object network branch2
subnet 192.168.1.0 255.255.255.0
object network branch3
subnet 192.168.3.0 255.255.255.0
object network branch4
subnet 192.168.4.0 255.255.255.0
object network branch5
subnet 192.168.5.0 255.255.255.0
object network central
subnet 192.168.0.0 255.255.255.0
object network dmz-subnet
subnet 192.168.100.0 255.255.255.0
object network camera-monitoring-ip
host xxx.xxx.xxx.27
object network cameras
host 192.168.100.1
object network NETWORK_OBJ_192.168.20.0_27
subnet 192.168.20.0 255.255.255.224
access-list oudside_acl extended permit tcp any object cameras eq www
access-list outside_acl extended permit tcp any object cameras eq www
access-list dmz_int extended permit tcp host 192.168.100.1 eq www any
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
!
object network branch1
nat (inside,outside) dynamic interface
object network branch2
nat (inside,outside) dynamic interface
object network branch3
nat (inside,outside) dynamic interface
object network branch4
nat (inside,outside) dynamic interface
object network branch5
nat (inside,outside) dynamic interface
object network central
nat (inside,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network cameras
nat (dmz,outside) static cameras-monitoring-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_int in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.25 1
route inside 192.168.1.0 255.255.255.0 192.168.0.170 1
route inside 192.168.2.0 255.255.255.0 192.168.0.170 1
route inside 192.168.3.0 255.255.255.0 192.168.0.170 1
route inside 192.168.4.0 255.255.255.0 192.168.0.170 1
route inside 192.168.5.0 255.255.255.0 192.168.0.170 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair xxxxx
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 9gfdrfss
fdfasfd vczvc
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPNanyconnect_client_profile disk0:/VPNanyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxxx
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxx.local
group-policy GroupPolicy_VPNanyconnect internal
group-policy GroupPolicy_VPNanyconnect attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol ikev2
default-domain value xxx.local
webvpn
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxx68c1xxx5dbef0baxxxf2378e540
: end
no asdm history enable
Thanks for reply.
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0 group-policy
DefaultRAGroup internal group-policy
DefaultRAGroup attributes wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxxx
yeah i did split tunneling before as shown in tutorial but it doesn't work. I added ACL and ACE, restarted router. No idea what's wrong here...
cisco cisco-asa l2tp
edited Nov 21 '14 at 18:00
Michael Hampton♦
174k27319644
asked Nov 20 '14 at 16:01
begginerbegginer
61
I have a problem with cisco asa 5505 vpn configuration. I set l2tp for windows clients. I can connect to vpn but:
when i have "use default gateway on remote network" on NIC enabled i have access to all resources in network but i don't have internet access (can't open websites etc).
when i have "use default gateway on remote network" on NIC disabled i dont have access to resources in network but i have internet access.
In my config file there is a little mess i tried to use ASDM and tried to configure Cisco Anyconnect but those lines in config aren't important and don't work. My VPN subnet is 192.168.20.0 and I need only l2tp for windows. If someone wants to help here is my config:
Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
enable password xxx encrypted
names
ip local pool poolVPN 192.168.20.10-192.168.20.30 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address xxx.xxx.xxx.26 255.255.255.248
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network branch1
subnet 192.168.2.0 255.255.255.0
object network branch2
subnet 192.168.1.0 255.255.255.0
object network branch3
subnet 192.168.3.0 255.255.255.0
object network branch4
subnet 192.168.4.0 255.255.255.0
object network branch5
subnet 192.168.5.0 255.255.255.0
object network central
subnet 192.168.0.0 255.255.255.0
object network dmz-subnet
subnet 192.168.100.0 255.255.255.0
object network camera-monitoring-ip
host xxx.xxx.xxx.27
object network cameras
host 192.168.100.1
object network NETWORK_OBJ_192.168.20.0_27
subnet 192.168.20.0 255.255.255.224
access-list oudside_acl extended permit tcp any object cameras eq www
access-list outside_acl extended permit tcp any object cameras eq www
access-list dmz_int extended permit tcp host 192.168.100.1 eq www any
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
!
object network branch1
nat (inside,outside) dynamic interface
object network branch2
nat (inside,outside) dynamic interface
object network branch3
nat (inside,outside) dynamic interface
object network branch4
nat (inside,outside) dynamic interface
object network branch5
nat (inside,outside) dynamic interface
object network central
nat (inside,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network cameras
nat (dmz,outside) static cameras-monitoring-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_int in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.25 1
route inside 192.168.1.0 255.255.255.0 192.168.0.170 1
route inside 192.168.2.0 255.255.255.0 192.168.0.170 1
route inside 192.168.3.0 255.255.255.0 192.168.0.170 1
route inside 192.168.4.0 255.255.255.0 192.168.0.170 1
route inside 192.168.5.0 255.255.255.0 192.168.0.170 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair xxxxx
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 9gfdrfss
fdfasfd vczvc
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPNanyconnect_client_profile disk0:/VPNanyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxxx
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxx.local
group-policy GroupPolicy_VPNanyconnect internal
group-policy GroupPolicy_VPNanyconnect attributes
wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol ikev2
default-domain value xxx.local
webvpn
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxx68c1xxx5dbef0baxxxf2378e540
: end
no asdm history enable
Thanks for reply.
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0 group-policy
DefaultRAGroup internal group-policy
DefaultRAGroup attributes wins-server value 192.168.0.201
dns-server value 192.168.0.201 xxx.xxx.xxx.244
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxxx
yeah i did split tunneling before as shown in tutorial but it doesn't work. I added ACL and ACE, restarted router. No idea what's wrong here...
cisco cisco-asa l2tp
cisco cisco-asa l2tp
edited Nov 21 '14 at 18:00
Michael Hampton♦
174k27319644
asked Nov 20 '14 at 16:01
begginerbegginer
61
edited Nov 21 '14 at 18:00
Michael Hampton♦
174k27319644
asked Nov 20 '14 at 16:01
begginerbegginer
61
edited Nov 21 '14 at 18:00
Michael Hampton♦
174k27319644
edited Nov 21 '14 at 18:00
Michael Hampton♦
174k27319644
edited Nov 21 '14 at 18:00
Michael Hampton♦
174k27319644
174k27319644
asked Nov 20 '14 at 16:01
begginerbegginer
61
asked Nov 20 '14 at 16:01
begginerbegginer
61
asked Nov 20 '14 at 16:01
begginerbegginer
61
61
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
0
That's because you didn't configure the Split Tunnel.
Basically, when you enable use default gateway on remote network as soon as you connect to the VPN, your default gateway becomes the VPN endpoint and all traffic transit towards that gateway.
When it's not enabled you are simply missing the routes to reach whatever is beyond the VPN tunnel and still use your own default gateway for everything else.
answered Nov 20 '14 at 16:06
AlexAlex
2,9111626
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f645870%2fcisco-asa-5505-l2tp-vpn%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
That's because you didn't configure the Split Tunnel.
Basically, when you enable use default gateway on remote network as soon as you connect to the VPN, your default gateway becomes the VPN endpoint and all traffic transit towards that gateway.
When it's not enabled you are simply missing the routes to reach whatever is beyond the VPN tunnel and still use your own default gateway for everything else.
answered Nov 20 '14 at 16:06
AlexAlex
2,9111626
add a comment |
0
That's because you didn't configure the Split Tunnel.
Basically, when you enable use default gateway on remote network as soon as you connect to the VPN, your default gateway becomes the VPN endpoint and all traffic transit towards that gateway.
When it's not enabled you are simply missing the routes to reach whatever is beyond the VPN tunnel and still use your own default gateway for everything else.
answered Nov 20 '14 at 16:06
AlexAlex
2,9111626
add a comment |
0
0
0
That's because you didn't configure the Split Tunnel.
Basically, when you enable use default gateway on remote network as soon as you connect to the VPN, your default gateway becomes the VPN endpoint and all traffic transit towards that gateway.
When it's not enabled you are simply missing the routes to reach whatever is beyond the VPN tunnel and still use your own default gateway for everything else.
answered Nov 20 '14 at 16:06
AlexAlex
2,9111626
That's because you didn't configure the Split Tunnel.
Basically, when you enable use default gateway on remote network as soon as you connect to the VPN, your default gateway becomes the VPN endpoint and all traffic transit towards that gateway.
When it's not enabled you are simply missing the routes to reach whatever is beyond the VPN tunnel and still use your own default gateway for everything else.
answered Nov 20 '14 at 16:06
AlexAlex
2,9111626
answered Nov 20 '14 at 16:06
AlexAlex
2,9111626
answered Nov 20 '14 at 16:06
AlexAlex
2,9111626
answered Nov 20 '14 at 16:06
AlexAlex
2,9111626
2,9111626
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f645870%2fcisco-asa-5505-l2tp-vpn%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
