Cisco | Microsoft VPN Client option.

Sometimes it’s possible you need to have a back-up solution for the VPN. In case a customer doesn’t want to pay for licenses of AnyConnect on a Cisco ASA. In this post, I write about the option to configure an L2TP over IPsec.

Go to Wizards in the ASDM and select VPN Wizards then IPSec (IKEv1) Remote Access VPN Wizard.

The Wizard starts. It’s possible you receive an error after this screen. In that case, lower down the Priority value and click on Next to continue.

Select the VPN Client Type, Microsoft Windows client using L2TP over IPsec. Select Chap, MS-Chap-V1 and MS-Chap-V2. Click on next.

Choose a proper pre-shared key for your connection and click on next to continue.

Choose the authentication method. Advisable use an AAA Server Group to connect with the VPN. In that case, you have the control and easy management who is allowed to access the VPN Client.

Create a VPN Client pool with the proper amount of addresses. Click on next to continue the setup.

If you have an internal DNS Server and Domain name use these within this screen. Afterward, click on Next to continue.

Select the internal interface and subnet which you want to exempt from the VPN bypass. unselect Perfect Forwarding Secrecy (PFS), Enabling split tunnelling is optional. I’ve experienced that this doesn’t work. Later in this post, I write about the firewall setup.

Check your configuration if it’s correct and click on Finish the finalize the setup.

Go to Configuration, followed by NAT Rules. Click on Add to add a new Nat Rule.

Choose to add “Network Object” Nat Rule

When to set up the Nat rule. Give it a logical name. Configure the IP range of the VPN Client pool. At the NAT select Add Automatic Address Translation Rules. Dynamic PAT (Hide) selects the outside interface. Click on Advanced for the following step.

Under advanced the source Interface will be outside and destination Interface is outside. This is the configuration you need to have, to make a u-turn for the VPN Client to be able to connect to internet addresses.

After this setup, you can create a VPN in your Windows system. In windows 10 you can use the default settings Select at the configuration L2TP/IPsec pre-configured Shared Key.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.