I wanted to try do something on my Cisco ASA to setup incoming IKEV/IPsec/L2TP VPN to allow access to the local LAN and also the internet connection which the ASA Uses. So when a client connects to the VPN, they can access the local lan, as well as the internet connection that sits off from the ASA.
In order to set this up, we have to have something like this going, all performed in enable configuration mode.
- Define your VPN Pool of addresses eg
ip local pool VPNUsers 192.168.20.1-192.168.20.30 mask 255.255.255.224
- Relax the security rules between the interfaces a bit
same-security-traffic permit intra-interface
- Create an object for example like VPN, then NAT the outside interface to the outside, this allows routing of internet from VPN to the ASA using the ASA’s ISP connection on outside
object network VPN subnet 192.168.20.0 255.255.255.224 nat (outside,outside) dynamic interface
- Allow VPN Interface “Hairpin” on same interface and access to local LAN/Internet resources
nat (outside,inside) source static VPN VPN
- Create a VPN Clients Out ACL, to allow the VPN Client subnet, access from its subnet to any IP address on the outside (in our case the local LANs or internet)
access-list VPN_CLIENTS_OUT extended permit ip object VPN any
- Modify the group policy tunnel attributes attached to your tunnel. In my scenario below VPN Clients will use the Cloudflare DNS, utilise the correct ACL for access, allowed IKEV or L2TP protocols, all traffic will be tunneled and no split traffic permitted on client, and the IP address pool will be utilised from our VPNUsers pool
group-policy yourtunnel attributes dns-server value 1.1.1.1 vpn-filter value VPN_CLIENTS_OUT vpn-tunnel-protocol ikev1 l2tp-ipsec split-tunnel-policy tunnelall address-pools value VPNUsers
- Once the above is implemented, the VPN clients will have access to the Local LAN, and to the Internet connected to the ASA. The above configuration does not take into consideration the complete VPN Tunnel setup, this additional configuration assumes you already have an existing complete tunnel setup.
This took me some time to get working, so I wanted to put some of my research on my blog incase anyone wishes to do the same, feedback welcome 🙂
This worked perfectly!!
Thank you for your work and the post, much appreciated
thank you very much… worked like a charm.
So with the above configuration what are the required settings on the client’s VPN software?
Should the *AllowLocalLanAccess be true or false or is it irrelevant?
The Cisco definitions are far from clear in document ID:70847
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html