Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1221
Views
0
Helpful
1
Replies

VPN Problems - Remote Access not working

MartinBarker4866
Level 1
Level 1

‎05-06-2019 12:07 PM - edited ‎05-06-2019 03:54 PM

So I'm having a problem with my Remote Access VPN.

So I. have 2 Site to Site VPN's (AWS Ireland & AWS London) these are working perfectly.

I Used to have a Remote Access VPN working when using the LOCAL users to the ASA now I have been trying to get it to use AAA LDAP server but it doing that somehow I have managed to completely break the Remote Access VPN and no matter how much reading through the old config and checking stuff I can't get it working again.

So i need to keep the 2 AWS VPN up and working while also allowing Remote Access using L2TP/IPSec using a preshared key, and then the authentication uses the AAA Server Group Called LDAP_SRV_GRP. (this group as 1 server in it 10.1.18.109) and this is tested as working.

My Config

UPDATED - I have the Remote Access VPN working again just not using the AAA-Server (LDAP) "LDAP_SRV_GRP"

 

ip local pool OutOfOfficePool 10.101.2.1-10.101.2.254 mask 255.255.255.0

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.101.0.1 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 109.239.111.4 255.255.255.248 
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server Y.Y.Y.Y
 name-server 1.1.1.1
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name beaconsoft.ltd
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network inside
 subnet 10.0.0.0 255.0.0.0
object network inside-subnet
 subnet 10.0.0.0 255.0.0.0
object network obj-SrcNet
 subnet 0.0.0.0 0.0.0.0
object network obj-amzn-lon
 subnet 10.1.0.0 255.255.0.0
object network obj-amzn-ire
 subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.101.2.0_24
 subnet 10.101.2.0 255.255.255.0
object network inoffice
 subnet 10.101.1.0 255.255.255.0
object network outoffice
 subnet 10.101.2.0 255.255.255.0
object network 10.X.X.X
 range 10.2.0.0 10.2.255.255
object network ASA-network
 subnet 10.101.0.0 255.255.255.0
object network ASA
 host 10.101.0.1
 description Cisco ASA
object network ASAGatewayAddress
 host Y.Y.Y.Y
object network ASA_Network
 subnet 10.101.0.0 255.255.255.0
object network test
 host 10.101.0.1
object network OutOfOfficePool
 subnet 10.0.0.0 255.0.0.0
access-list outside_acl extended permit ip host 35.177.42.137 host 109.239.111.4 
access-list outside_acl extended permit ip host 52.56.51.249 host 109.239.111.4 
access-list outside_acl extended permit ip host 52.17.198.135 host 109.239.111.4 
access-list outside_acl extended permit ip host 54.72.63.159 host 109.239.111.4 
access-list outside_acl extended permit ip host 35.177.42.137 host Y.Y.Y.Y 
access-list outside_acl extended permit ip host 52.56.51.249 host Y.Y.Y.Y 
access-list outside_acl extended permit ip host 52.17.198.135 host Y.Y.Y.Y 
access-list outside_acl extended permit ip host 54.72.63.159 host Y.Y.Y.Y 
access-list acl-amzn-lon extended permit ip any4 10.1.0.0 255.255.0.0 
access-list IRELAND-135 extended permit ip host 52.17.198.135 host 109.239.111.4 
access-list IRELAND-135 extended permit ip host 52.17.198.135 host Y.Y.Y.Y 
access-list IRELAND-159 extended permit ip host 54.72.63.159 host 109.239.111.4 
access-list IRELAND-159 extended permit ip host 54.72.63.159 host Y.Y.Y.Y 
access-list IRELAND-LOCAL extended permit ip any4 10.2.0.0 255.255.0.0 
access-list outside_access_in extended permit ip host 35.177.42.137 host 109.239.111.4 
access-list outside_access_in extended permit ip host 52.56.51.249 host 109.239.111.4 
access-list outside_access_in extended permit ip host 35.177.42.137 host Y.Y.Y.Y 
access-list outside_access_in extended permit ip host 52.56.51.249 host Y.Y.Y.Y 
access-list acl-amzn extended permit ip any4 10.1.0.0 255.255.0.0 
access-list amzn-filter extended permit ip 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0 
access-list ireland-filter extended permit ip 10.2.0.0 255.255.0.0 10.0.0.0 255.0.0.0 
access-list outside_cryptomap_2 extended permit ip any4 10.2.0.0 255.255.0.0 
access-list outside_cryptomap_2 extended permit ip any4 10.1.0.0 255.255.0.0 
access-list outside_cryptomap_3 extended permit ip any4 10.2.0.0 255.255.0.0 
access-list outside_cryptomap_1 extended permit ip any4 10.1.0.0 255.255.0.0 
access-list tcp_bypass extended permit ip 10.101.0.0 255.255.255.0 10.101.1.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.101.0.0 255.255.255.0 10.101.2.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.101.0.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list tcp_bypass extended permit ip 10.101.0.0 255.255.255.0 10.2.0.0 255.255.0.0 
access-list tcp_bypass extended permit ip 10.101.1.0 255.255.255.0 10.101.0.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.101.1.0 255.255.255.0 10.101.2.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.101.1.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list tcp_bypass extended permit ip 10.101.1.0 255.255.255.0 10.2.0.0 255.255.0.0 
access-list tcp_bypass extended permit ip 10.101.2.0 255.255.255.0 10.101.1.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.101.2.0 255.255.255.0 10.101.0.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.101.2.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list tcp_bypass extended permit ip 10.101.2.0 255.255.255.0 10.2.0.0 255.255.0.0 
access-list tcp_bypass extended permit ip 10.1.0.0 255.255.255.0 10.101.1.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.1.0.0 255.255.255.0 10.101.2.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.1.0.0 255.255.255.0 10.101.0.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.0.0 
access-list tcp_bypass extended permit ip 10.2.0.0 255.255.255.0 10.101.1.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.2.0.0 255.255.255.0 10.101.2.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.2.0.0 255.255.255.0 10.101.0.0 255.255.255.0 
access-list tcp_bypass extended permit ip 10.2.0.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list tcp_bypass extended permit tcp 10.101.1.0 255.255.255.0 10.101.2.0 255.255.255.0 
access-list tcp_bypass extended permit tcp 10.1.0.0 255.255.0.0 10.101.2.0 255.255.255.0 
access-list tcp_bypass extended permit tcp 10.101.2.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list tcp_bypass extended permit tcp 10.2.0.0 255.255.0.0 10.101.2.0 255.255.255.0 
access-list tcp_bypass extended permit tcp 10.101.2.0 255.255.255.0 10.2.0.0 255.255.0.0 
access-list inside_access_in extended permit ip any any 
access-list acl-outside extended permit icmp any any echo 
access-list acl-inside extended permit icmp any any echo 
access-list global_mpc extended permit ip any any 
access-list outside_access_in_1 extended permit ip 10.0.0.0 255.0.0.0 any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-ire obj-amzn-ire route-lookup
nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-lon obj-amzn-lon route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.101.2.0_24 NETWORK_OBJ_10.101.2.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static ASAGatewayAddress ASA destination static obj-amzn-lon obj-amzn-lon
!
object network obj_any
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 109.239.111.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map AttrMap1
  map-name  accessType IETF-Radius-Service-Type
  map-value accessType VPN 5
  map-value accessType admin 6
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host Y.Y.Y.Y
 ldap-base-dn cn=Users, dc=beaconsoft, dc=ltd
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=Administrator, cn=Users, dc=beaconsoft, dc=ltd
 server-type microsoft
 ldap-attribute-map AttrMap1
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1379
sla monitor 1
 type echo protocol ipIcmpEcho 10.1.0.1 interface outside
 frequency 5
sla monitor schedule 1 life forever start-time now
sla monitor 2
 type echo protocol ipIcmpEcho 10.2.0.1 interface outside
 frequency 5
sla monitor schedule 2 life forever start-time now
sla monitor 5
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 frequency 5
sla monitor schedule 5 life forever start-time now
crypto ipsec ikev1 transform-set 3des_sha esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set transform-amzn-lon esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set transform-amzn-ire esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set transfrom-amzn esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set transfrom-amzn1 esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set transform-amzn1 esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set transform-ireland esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set APPLE_CLIENT esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set APPLE_CLIENT mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS ESP-AES-128-MD5
crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS
crypto dynamic-map DYN_OUTSIDE 10000 set reverse-route
crypto map MAP_OUTSIDE 1 match address outside_cryptomap_1
crypto map MAP_OUTSIDE 1 set pfs 
crypto map MAP_OUTSIDE 1 set peer 35.177.42.137 52.56.51.249 
crypto map MAP_OUTSIDE 1 set ikev1 transform-set transfrom-amzn
crypto map MAP_OUTSIDE 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map MAP_OUTSIDE 1 set security-association lifetime seconds 3600
crypto map MAP_OUTSIDE 1 set reverse-route
crypto map MAP_OUTSIDE 2 match address outside_cryptomap_3
crypto map MAP_OUTSIDE 2 set pfs 
crypto map MAP_OUTSIDE 2 set peer 52.17.198.135 54.72.63.159 
crypto map MAP_OUTSIDE 2 set ikev1 transform-set transform-ireland
crypto map MAP_OUTSIDE 2 set security-association lifetime seconds 3600
crypto map MAP_OUTSIDE 2 set reverse-route
crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 keypair OutOfOfficeKeyPair
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 subject-name CN=leeds.internal.beaconsoft.ltd,O=Beaconsoft Limited,C=UK
 keypair OutOfOfficeKeyPair
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint3
 enrollment terminal
 no validation-usage
 crl configure
crypto isakmp identity address 
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 1000
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 3000
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpn-sessiondb max-other-vpn-limit 10
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2

dhcpd dns Y.Y.Y.Y 8.8.8.8
dhcpd domain leeds.internal.beaconsoft.ltd
dhcpd auto_config outside
dhcpd option 3 ip 10.101.0.1 Y.Y.Y.Y
dhcpd option 6 ip 10.1.13.58 8.8.8.8
!
dhcpd address 10.101.1.1-10.101.1.254 inside
dhcpd dns Y.Y.Y.Y 8.8.8.8 interface inside
dhcpd wins Y.Y.Y.Y interface inside
dhcpd domain leeds.internal.beaconsoft.ltd interface inside
dhcpd option 3 ip 10.101.0.1 interface inside
dhcpd option 6 ip 10.1.13.58 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value Y.Y.Y.Y
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec 
 default-domain value leeds.internal.beaconsoft.ltd
group-policy DfltGrpPolicy attributes
 dns-server value Y.Y.Y.Y
 vpn-tunnel-protocol ikev1 ikev2 
 default-domain value beaconsoft.ltd
group-policy OutOfOffice internal
group-policy OutOfOffice attributes
 wins-server value Y.Y.Y.Y
 dns-server value Y.Y.Y.Y 1.1.1.1
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec 
 default-domain value beaconsoft.ltd
group-policy ireland-filter internal
group-policy ireland-filter attributes
 vpn-filter value ireland-filter
 vpn-tunnel-protocol ikev1 
group-policy filter1 internal
group-policy filter1 attributes
 vpn-filter value amzn-filter
 vpn-tunnel-protocol ikev1 ikev2 
group-policy filter internal
group-policy filter attributes
 vpn-filter value acl-amzn 
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
 isakmp keepalive threshold 15 retry 2
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
 address-pool OutOfOfficePool
 default-group-policy OutOfOffice
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool OutOfOfficePool
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 15 retry 2
tunnel-group 35.177.42.137 type ipsec-l2l
tunnel-group 35.177.42.137 general-attributes
 default-group-policy filter1
tunnel-group 35.177.42.137 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 10
tunnel-group 52.56.51.249 type ipsec-l2l
tunnel-group 52.56.51.249 general-attributes
 default-group-policy filter1
tunnel-group 52.56.51.249 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 10
tunnel-group OutOfOffice type remote-access
tunnel-group OutOfOffice general-attributes
 address-pool OutOfOfficePool
 authentication-server-group LDAP_SRV_GRP LOCAL
 authentication-server-group (inside) LDAP_SRV_GRP LOCAL
 authorization-server-group (inside) LDAP_SRV_GRP
 default-group-policy OutOfOffice
 strip-realm
tunnel-group OutOfOffice webvpn-attributes
 nbns-server Y.Y.Y.Y timeout 2 retry 2
tunnel-group OutOfOffice ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate cert
tunnel-group OutOfOffice ppp-attributes
 authentication ms-chap-v2
tunnel-group 52.17.198.135 type ipsec-l2l
tunnel-group 52.17.198.135 general-attributes
 default-group-policy ireland-filter
tunnel-group 52.17.198.135 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 54.72.63.159 type ipsec-l2l
tunnel-group 54.72.63.159 general-attributes
 default-group-policy ireland-filter
tunnel-group 54.72.63.159 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match access-list global_mpc
 match default-inspection-traffic
class-map tcp_bypass
 match access-list tcp_bypass
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
policy-map tcp_bypass_policy
 class tcp_bypass
  set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
service-policy tcp_bypass_policy interface inside

 

Labels:
0 Helpful
1 Reply 1

MartinBarker4866
Level 1
Level 1

‎05-06-2019 03:51 PM - edited ‎05-06-2019 03:54 PM

Sorry for the reply, but this is a part answer 

So going through https://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/200340-Configure-L2TP-Over-IPsec-Between-Window.pdf

Very carefully I have the Remote Access VPN on OutOfOffice working, but I still don't have it working with the AAA Server (LDAP) I have updated the config in the post above

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents