VPN L2TP : remote users cannot access inside network

Hi everybody,

I try to configure a L2TP VPN for remote users to give them access to some resources in the internal network.

I test it in a "lab" which try to reproduce a remote user connection :
vpn user---nat router---internet---nat router (asa)---inside network

The VPN remote user uses the built-in Windows XP client but I also tested with the Cisco client.
I used the ASDM wizard to have this script.

For now, the remote user can connect to the ASA but cannot reach inside hosts (tested with ping, http, smb).

Here is the script :
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XXXX encrypted
passwd XXXX encrypted
names
!
!--- Inside interface
interface Vlan1
nameif LAN
security-level 100
ip address 10.20.0.10 255.255.255.0
!
!--- Outside interface
interface Vlan12
nameif WAN
security-level 0
ip address 10.50.0.10 255.255.255.0
!
!--- DMZ interface, restricted by the ASA 5505 base licence (2 functionnal Vlan, 1 restricted)
interface Vlan22
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 10.40.0.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 22
!
interface Ethernet0/7
switchport access vlan 22
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
!--- No nat between inside subnet and VPN remote users and between inside and dmz
access-list LAN_nat0_outbound extended permit ip any 10.20.0.120 255.255.255.252
access-list LAN_nat0_outbound extended permit ip 10.20.0.0 255.255.255.0 10.40.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu DMZ 1500
mtu LAN 1500
mtu WAN 1500
ip local pool VPN-IP 10.20.0.120-10.20.0.122 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!--- Nat overload on outside interface
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 0.0.0.0 0.0.0.0
!--- Default route to reach the Internet
route WAN 0.0.0.0 0.0.0.0 10.50.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 10.20.0.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!--- Crypto definition
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map WAN_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 10.20.0.77 255.255.255.255 LAN
ssh timeout 5
console timeout 0
dhcpd address 10.20.0.11-10.20.0.138 LAN
!

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.20.0.4
vpn-tunnel-protocol l2tp-ipsec
username hanapurna password XXXX nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-IP
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e978b4e4af0cbe5de5b81ab6f
: end
asdm image disk0:/asdm-524.bin
no asdm history enable


About the ip pool for VPN users, several people say it's not recommended to have it in the inside subnet, which is not done here :
www.cisco.com/en/US/products/ps6120/prod...186a008060f25c.shtml
I tested it with a different subnet and it was the same.
But, if I use a different subnet, how can the appliance know how to route the traffic ? Do I need a static route ?

I read that config made by the wizard are often bad. I also tried to set up my VPN with the CLI using two examples, the one in the previous link and this one :
www.cisco.com/en/US/products/hw/vpndevc/...186a00807213a7.shtml
Again, it was the same.

Do I need an ACL to allow traffic from inside to go to the VPN users ? For now, I just have default ACL. If it's the case, I don't see why because the VPN users are suposed to be in the LAN, right ?

I won't be surprised to have a problem with NAT. I understand that the VPN has to be configured on the outside interface, but the ASA seems to assign the ip addresses of the vpn pool on the outside interface as shown in the log (nslookup request) :
[code:1]Built inbound UDP connection 1178 for WAN:10.20.0.120/52142 (10.20.0.120/52142) to LAN:10.20.0.4/53 (10.20.0.4/53) (hanapurna)[/code:1]
I think it will run better if I could have LAN:10.20.0.120 instead of WAN:10.20.0.120. How can I do that ? With NAT 0 ?

I also have some timeout in the log when a remote user try to access a web server in the LAN :
[code:1]Teardown TCP connection 693 for WAN:10.20.0.120/1043 to LAN:10.20.0.13/80 duration 0:00:30 bytes 0 SYN Timeout (hanapurna)[/code:1]

Thanks for your help

Ok, my problem is solved. I'm ashamed to say you what was wrong ... The inside/LAN switch was not connected to the ASA ... :roll: But it's difficult to find it when you do that remotely.

However, I would like to answer to my own questions if it can help.

About the ip pool for VPN users, several people say it's not recommended to have it in the inside subnet, which is not done here :
www.cisco.com/en/US/products/ps6120/prod...186a008060f25c.shtml
I tested it with a different subnet and it was the same.
But, if I use a different subnet, how can the appliance know how to route the traffic ? Do I need a static route ?

It works perfectly when you assign IP addresses to VPN users in the same subnet as inside. It works also with another subnet, without static route

I read that config made by the wizard are often bad.

I had no problem using the wizard; the generated config worked each time I used it. My version : ASA 7.2(4)/ASDM 5.2(4)

Do I need an ACL to allow traffic from inside to go to the VPN users ?

I didn't need any ACL

I won't be surprised to have a problem with NAT.

A NAT 0 rule is needed to translate traffic from inside to VPN users
[code:1]access-list LAN_nat0_outbound extended permit ip any 10.20.0.120 255.255.255.252[/code:1]
A NAT 0 rule to access the DMZ from inside
[code:1]access-list LAN_nat0_outbound extended permit ip 10.20.0.0 255.255.255.0 10.40.0.0 255.255.255.0[/code:1]
And optionaly, a NAT 0 rule to allow VPN users to access the DMZ
[code:1]access-list DMZ_nat0_outbound extended permit ip 10.40.0.0 255.255.255.0 10.20.0.120 255.255.255.252[/code:1]
NAT rules applied to interfaces
[code:1]global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 10.169.7.0 255.255.255.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 1 10.4.0.0 255.255.255.0[/code:1]

The only thing I can't do for now is administer the ASA through the VPN on the inside interface.