09-24-2010 12:16 AM - edited 02-21-2020 04:52 PM
Hi friends... I'm stuck with L2TP IPSec VPN configuration. I have Googled some days but didn't able to get any helpful tips and get this working.
Below is my script and when I'm trying to log below logs can be found;
Logs:
%PIX-3-710003: TCP access denied by ACL from 1x4.4x.5.1x6/51217 to outside:xxx.xxx.xxx.2/443
%PIX-3-710003: TCP access denied by ACL from 1x4.4x.5.1x6/51217 to outside:xxx.xxx.xxx.2/443
%PIX-3-710003: TCP access denied by ACL from 1x4.4x.5.1x6/51217 to outside:xxx.xxx.xxx.2/443
1x4.4x.5.1x6 = VPN Client IP
Cisco Configuration:
FIRE1(config)# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname FIRE1
domain-name company.local
enable password HlKVWtGMbhq33V/X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.2 255.255.255.224
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
ospf cost 10
!
interface Ethernet2
description LAN/STATE Failover Interface
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name company.local
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192
access-list 110 extended permit tcp any host xxx.xxx.xxx.28 eq 3389
access-list 110 extended permit tcp any host xxx.xxx.xxx.8 eq ftp
access-list 110 extended permit tcp any host xxx.xxx.xxx.8 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.8 eq 3389
access-list 110 extended permit tcp any host xxx.xxx.xxx.10 eq 3389
access-list 110 extended permit tcp any host xxx.xxx.xxx.14 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.15 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.16 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.18 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.9 eq https
access-list 110 extended permit tcp any host xxx.xxx.xxx.9 eq smtp
access-list 110 extended permit tcp any host xxx.xxx.xxx.9 eq pop3
access-list 110 extended permit tcp any host xxx.xxx.xxx.20 eq 8080
access-list 110 extended permit tcp any host xxx.xxx.xxx.20 eq 8081
access-list 110 extended permit tcp any host xxx.xxx.xxx.21 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.19 eq 8080
access-list 110 extended permit tcp any host xxx.xxx.xxx.23 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.13 eq www
pager lines 24
logging console warnings
logging monitor warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN-POOL1 192.168.3.1-192.168.3.50 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.25-xxx.xxx.xxx.26 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xxx.xxx.xxx.19 8080 192.168.2.69 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.22 www 192.168.2.82 8080 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.13 www 192.168.2.83 4000 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.8 192.168.2.47 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.10 192.168.2.90 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.14 192.168.2.81 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.15 192.168.2.11 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.16 192.168.2.68 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.18 192.168.2.111 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.9 192.168.2.14 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.20 192.168.2.13 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.21 192.168.2.112 netmask 255.255.255.255
static (inside,inside) 192.168.220.0 192.168.220.0 netmask 255.255.255.0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
route inside 192.168.220.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES-MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.2.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.14
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value company.local
username testing password q/VM1nA1RWbzHiqrsIJF4g== nt-encrypted privilege 0
username testing attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL1
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d69b3fced49e5a9b8e17df7c088bd7b2
: end
FIRE1(config)#
09-24-2010 12:51 AM
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html#wp1074591
This has worked for me in the past.
Where are you trying to connect from ie. what is the client - please note that everything over XP might not support MD5 and you're missing authentication methods.
HTH,
Marcin
09-24-2010 01:16 AM
Is above link should work for PIX 515E with PIX Version 8.0(4) as well ?
Thanks !
09-24-2010 01:23 AM
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219
PIX 8.0 and ASA 8.0 code both should have same capabilities ;-)
If you don't trust me, google for configuration guide for PIX.
Marcin
09-24-2010 01:25 AM
thanks a lot Marcin: I'll post the results withini next hour !
09-24-2010 01:40 AM
You still didn't share which client you're using, and if other might be working OK?
has this setup ever worked?
Marcin
09-24-2010 01:42 AM
Nope this is the initial deployment, they want to use this for Windows VPN Client and they expect to connect using Windows XP/Windows 7 etc...
09-24-2010 01:46 AM
Cool,
if you see an error when connecting - I would first all make a screenshot, and debug:
deb cry isa 100
deb crypto ipsec 100
on the PIX.
Marcin
09-24-2010 02:48 AM
tat's example is on authenticating on RADIUS server ?? i need to do it by local users, please advise and thanks
"aaa-server sales_server protocol radius"
09-24-2010 03:06 AM
Jest set local authentication (default) ;-)
I believe you have your user properly added before ...
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046114
"username cisco password cisco mschap"
09-24-2010 03:40 AM
hi.. now I'm confused with diferent articles....
can you please grab me only the nessary commands for L2TP over IPSec ?? I tried but I think it's duplicated at last....
I need to authenticate local users, initially please add a user "testing" and Windows XP and Windows 7 Clients should be able to log in.
thanks a lot for your valuable time !
09-24-2010 04:38 AM
Mate,
Scratch all the things you've done up to now and start with this:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219
If you need to add a user please do it based on how they did it here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046114 (Step 10.)
The command are there and listed, your interaction needed will be to change the PSK and username and password + adding step 11.
Marcin
09-24-2010 04:53 AM
cleaned up everything but i can't remove below
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto isakmp nat-traversal
how do I remove ??
tnx !
however below is what I put newly, it gave me the same results which I posted initially... please help..
ip local pool aa_pool1 192.168.33.1-192.168.33.50 mask 255.255.255.0
tunnel-group DefaultRAGroup general-attributes
address-pool aa_pool1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key hEllo
username testing password password mschap
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp identity auto
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
l2tp tunnel hello 100
group-policy aa_policy internal
group-policy aa_policy attributes
dns-server value 192.168.2.14
vpn-tunnel-protocol ipsec l2tp-ipsec
tunnel-group aa_tunnel type remote-access
tunnel-group aa_tunnel general-attributes
address-pool aa_addresses
authentication-server-group none
accounting-server-group aa_server
default-group-policy aa_policy
09-24-2010 07:10 AM
It seems we're going the right direction ;-)
The logs you pointed out initially is a user trying to access HTTPS service on ASA - nothing to do with L2tp.
I told you which debugs to get to confirm if the issues is with IPsec.
As stated in docs - the only default tunnel-group should be used.
You can bind group-policy to default one as you did with your aa_tunnel tunnel-group.
Please go over the doc :-)
Marcin
09-24-2010 11:56 PM
hmm second time also faild, please help, below is the new commands I have entered but some are not accepted;
ip local pool aa_pool1 192.168.3.1-192.168.3.50 mask 255.255.255.0
tunnel-group DefaultRAGroup general-attributes
address-pool aa_pool1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key hEllo
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set set trans >> NOT WORK BUT THIS WORKED >> crypto dynamic-map dyno 10 set transform-set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp identity auto
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
tunnel-group DefaultRAGroup type ipsec-ra >> NOT WORKED
ERROR: % Invalid input detected at '^' marker. ('^' was below to the "type")
username testing password password mschap
username testing attributes
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
group-policy group_policy_aa >> NOT WORKED>> "incomplete command"
authentication-server-group LOCAL
l2tp tunnel hello 30
crypto isakmp enable >> NOT WORKED>> "incomplete command"
crypto isakmp nat-traversal 30
group-policy group_policy_aa attributes
dns value 192.168.1.1
wins-server 192.168.1.1
access-list 110 extended permit ip any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide