Tunnel Group Switching - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 28
Configuring L2TP over IPSec
Configure the interval (in seconds) between hello messages using the l2tp tunnel hello command in
Step 11
global configuration mode:
hostname(config)# l2tp tunnel hello seconds
(Optional) If you expect multiple L2TP clients behind a NAT device to attempt L2TP over IPSec
Step 12
connections to the security appliance, you must enable NAT traversal so that ESP packets can pass
through one or more NAT devices.
To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the crypto
isakmp enable command) in global configuration mode and then use the crypto isakmp nat-traversal
command. For example:
hostname(config)# crypto isakmp enable
hostname(config)# crypto isakmp nat-traversal 30
Tunnel Group Switching
Tunnel Group Switching enables the security appliance to associate different users that are establishing
L2TP over IPSec connections with different tunnel groups. Since each tunnel group has its own AAA
server group and IP address pools, users can be authenticated through methods specific to their tunnel
group.
With this feature, instead of sending just a username, the user sends a username and a group name in the
format username@group_name, where "@" represents a delimiter that you can configure, and the group
name is the name of a tunnel group that has been configured on the security appliance.
To enable Tunnel Group Switching, you must enable Strip Group processing using the strip-group
command from tunnel-group general-attributes mode. When enabled, the security appliance selects the
tunnel group for user connections by obtaining the group name from the username presented by the VPN
client. The security appliance then sends only the user part of the username for authorization and
authentication. Otherwise (if disabled), the security appliance sends the entire username, including the
realm. In the following example, Strip Group processing is enabled for the tunnel-group telecommuters:
asa1(config)# tunnel-group telecommuters general-attributes
asa1(config-tunnel-general)# strip-group
Viewing L2TP over IPSec Connection Information
The show vpn-sessiondb command includes protocol filters that you can use to view detailed
information about L2TP over IPSec connections. The full command from global configuration mode is
show vpn-sessoindb detailed remote filter protocol l2tpOverIpsec.
The following example shows the details of a single L2TP over IPSec connection:
hostname# show vpn-sessiondb detail remote filter protocol L2TPOverIPSec
Session Type: Remote Detailed
Username
Index
Assigned IP
Protocol
Hashing
Bytes Tx
Client Type
Group Policy : DfltGrpPolicy
Tunnel Group : DefaultRAGroup
OL-10088-01
: b_smith
: 1
: 90.208.1.200
: L2TPOverIPSec
: SHA1
: 418464
:
Viewing L2TP over IPSec Connection Information
Public IP
: 70.208.1.212
Encryption
: 3DES
Bytes Rx
: 424440
Client Ver
:
Cisco Security Appliance Command Line Configuration Guide
28-5
Advertisement
Table of Contents
Troubleshooting
