Solved: cisco asa 5505 LDAP authentication for L2TP vpn

Nikhil Patil · ‎08-01-2011

Hi,

I have configured L2TP vpn on my firewall. and i am accessing my Lan servers using windows vpn client.

Now i want to configure it with LDAP authentication then please suggest me how should i configure it(through ASDM/CLI)...

Result of the command: "show run"

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name cisco.net

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone IST 5 30

dns domain-lookup inside

dns server-group DefaultDNS

same-security-traffic permit inter-interface

access-list outside_access_in extended permit gre any any

access-list outside_access_out extended permit gre any any

access-list outside_access_out extended permit tcp any any eq pptp

access-list outside_access_out extended permit ip interface outside any

access-list inside_access_in extended permit tcp any any eq pptp

access-list inside_access_in extended permit gre any any

ip local pool vpn-pool 192.168.200.1-192.168.200.60 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-643.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.255.255.0

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set trans esp-3des esp-sha-hmac

crypto ipsec transform-set trans mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dyno 10 set transform-set trans

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map vpn 20 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 1500

no vpn-addr-assign dhcp

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

l2tp tunnel hello 100

dhcpd dns DC 172.16.0.2 interface inside

!

dhcpd dns cisco *.*.*.* interface outside

!

dhcprelay server 172.16.0.2 inside

dhcprelay server dc1-int inside

webvpn

enable outside

group-policy DfltGrpPolicy attributes

dns-server value *.*.*.* *.*.*.*

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec

default-domain value spheregen.net

group-policy sales_policy internal

group-policy sales_policy attributes

vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

address-pool vpn-pool

default-group-policy sales_policy

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 3600 retry 2

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group sales-tunnel type remote-access

tunnel-group sales-tunnel general-attributes

address-pool vpn-pool

tunnel-group sales-tunnel ppp-attributes

authentication ms-chap-v2

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect http http_inspection_policy

parameters

protocol-violation action drop-connection

match request method connect

drop-connection log

class AppHeaderClass

drop-connection log

class BlockDomainsClass

reset log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect pptp

policy-map inside-policy

class Unblock

inspect http

class httptraffic

inspect http http_inspection_policy

!

service-policy global_policy global

service-policy inside-policy interface inside

prompt hostname

no call-home reporting anonymous

call-home

profile CiscoTAC-1

: end

praprama · ‎08-23-2011

Hi Nikhil,

Try adding the command on the ASA and see if internet works when connected to VPN:

nat (outside) 1 192.168.50.0 255.255.255.0

same-security-traffic permit intra-interace

Regards,

Prapanch

View solution in original post

Parminder Sian · ‎08-09-2011

Hey Nikhil,

Have a look at this config:-

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808c3c45.shtml

Hope this helps,

Sian

Nikhil Patil · ‎08-10-2011

Hi,

I have configure ASA 5505 using Radius authentication. i am also able to connect remote pc (10.0.0.145) using vpn. but i am not able to access internet on my remote pc (10.0.0.145)

when i click on my remote pc ethernet properties its showing 0 packets Sent & Received. i am able to ping internal lan pc(10.0.0.1)

Please check attachment....

Thanks,

Nikhil.

praprama · ‎08-23-2011