L2TP Passthru to a Windows Server

cladmonitor · ‎10-03-2012

We have a Cisco ASA 5520

We are attmpting to setup RRAS on Windows 2008R2 using L2TP. Server is on the inside of the network at 10.10.10.20 our ASA is 10.10.10.1 its outside interface is 68.0.0.0.3/28.

I set a static NAT rule to allow all traffic pointed at 68.0.0.4 to be directed to 10.10.10.20 and have ACLs allowing the following.

esp, ah, udp/500, udp/4500, udp/1701

Mac Clients have no issues with but windows clients seem to hang and never connect. I know the ASA configuration is somehow to blame, if I atttempt to connect to LAN IP (10.10.10.20) from withn the same network every thing works fine (making sure all the Windows Issues are covered).

Any Ideas would be helpful!

PS. We have 2 other IPSEC tunnels established to teh ASA from our COLO and a Satalite office, not sure if this makes it any harder.

Harish Balakrishnan · ‎10-03-2012

Hello Eric,

is it possible for you to post the configuration

regards

Harish.

cladmonitor · ‎10-04-2012

Sorry been a hectic week!

This is very santitized,

:

ASA Version 8.2(1)

!

hostname firewall

domain-name domain.lan

names

name 68.0.0.2 Outside_WAN

name 10.10.10.20 LAN_sdutil1.domain.lan description L2TP VPN Host

name 68.0.0.3 Outside_VPN.domain.lan description Dedicated for L2TP Connectivity

dns-guard

!

interface GigabitEthernet0/0

speed 1000

duplex full

nameif outside

security-level 1

ip address Outside_WAN 255.255.255.240

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone GMT 0

dns server-group DefaultDNS

domain-name domain.lan

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM_INLINE_SERVICE_2

service-object esp

service-object ah

service-object udp eq 1701

service-object udp eq 4500

service-object udp eq isakmp

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host Outside_VPN.domain.lan

access-list pnat extended permit ip 10.10.10.0 255.255.255.0 host Outside_WAN

pager lines 24

logging enable

logging asdm debugging

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 10.10.10.0 255.255.255.0

static (inside,outside) Outside_VPN.domain.lan LAN_sdutil1.domain.lan netmask 255.255.255.255 norandomseq

access-group outside_access_in in interface outside

access-group inside_access_in_1 in interface inside control-plane

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 68.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.10.10.0 255.255.255.0 inside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map1 interface outside

crypto isakmp enable outside

crypto isakmp enable management

crypto isakmp policy 5

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.10.10.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

webvpn

group-policy DfltGrpPolicy attributes

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:----

: end

asdm image disk0:/asdm-621.bin

asdm location Outside_WAN 255.255.255.255 inside

asdm location LAN_sdutil1.domain.lan 255.255.255.255 inside

no asdm history enable