Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2976
Views
0
Helpful
17
Replies

Cisco PIX 515E L2TP over IPSec help ???

snuwan.es
Level 1
Level 1

‎09-24-2010 12:16 AM - edited ‎02-21-2020 04:52 PM

Hi friends... I'm stuck with L2TP IPSec VPN configuration. I have Googled some days but didn't able to get any helpful tips and get this working.

Below is my script and when I'm trying to log below logs can be found;

Logs:

%PIX-3-710003: TCP access denied by ACL from 1x4.4x.5.1x6/51217 to outside:xxx.xxx.xxx.2/443
%PIX-3-710003: TCP access denied by ACL from 1x4.4x.5.1x6/51217 to outside:xxx.xxx.xxx.2/443
%PIX-3-710003: TCP access denied by ACL from 1x4.4x.5.1x6/51217 to outside:xxx.xxx.xxx.2/443

1x4.4x.5.1x6 = VPN Client IP

Cisco Configuration:

FIRE1(config)# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname FIRE1
domain-name company.local
enable password HlKVWtGMbhq33V/X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.2 255.255.255.224
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
ospf cost 10
!
interface Ethernet2
description LAN/STATE Failover Interface
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name company.local
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192
access-list 110 extended permit tcp any host xxx.xxx.xxx.28 eq 3389
access-list 110 extended permit tcp any host xxx.xxx.xxx.8 eq ftp
access-list 110 extended permit tcp any host xxx.xxx.xxx.8 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.8 eq 3389
access-list 110 extended permit tcp any host xxx.xxx.xxx.10 eq 3389
access-list 110 extended permit tcp any host xxx.xxx.xxx.14 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.15 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.16 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.18 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.9 eq https
access-list 110 extended permit tcp any host xxx.xxx.xxx.9 eq smtp
access-list 110 extended permit tcp any host xxx.xxx.xxx.9 eq pop3
access-list 110 extended permit tcp any host xxx.xxx.xxx.20 eq 8080
access-list 110 extended permit tcp any host xxx.xxx.xxx.20 eq 8081
access-list 110 extended permit tcp any host xxx.xxx.xxx.21 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.19 eq 8080
access-list 110 extended permit tcp any host xxx.xxx.xxx.23 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.13 eq www
pager lines 24
logging console warnings
logging monitor warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN-POOL1 192.168.3.1-192.168.3.50 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.25-xxx.xxx.xxx.26 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xxx.xxx.xxx.19 8080 192.168.2.69 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.22 www 192.168.2.82 8080 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.13 www 192.168.2.83 4000 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.8 192.168.2.47 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.10 192.168.2.90 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.14 192.168.2.81 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.15 192.168.2.11 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.16 192.168.2.68 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.18 192.168.2.111 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.9 192.168.2.14 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.20 192.168.2.13 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.21 192.168.2.112 netmask 255.255.255.255
static (inside,inside) 192.168.220.0 192.168.220.0 netmask 255.255.255.0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
route inside 192.168.220.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES-MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.2.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.14
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value company.local
username testing password q/VM1nA1RWbzHiqrsIJF4g== nt-encrypted privilege 0
username testing attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL1
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d69b3fced49e5a9b8e17df7c088bd7b2
: end
FIRE1(config)#

Labels:
0 Helpful
17 Replies 17

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to snuwan.es

‎09-25-2010 01:33 AM

group-policy group_policy_aa >> NOT WORKED>> "incomplete command"

bsns-asa5520-10(config)# group-policy SOME_NAME ?

configure mode commands/options:
  external  Enter this keyword to specify an external group policy
  internal  Enter this keyword to specify an internal group policy

For a new policy you need to define if it's internal or external. Internal is what you're looking for.

> tunnel-group DefaultRAGroup type ipsec-ra >> NOT WORKED

tunnel-group DefaultRAGroup <---- is already defined, why are you trying to define the type again?

> crypto isakmp enable >> NOT WORKED>> "incomplete command"


You have it already enabled! "crypto isakmp enable outside"

Please note that you will have to bind the default RA tunnel-group with whichever group-policy you configure.

Example:

bsns-asa5520-10(config)# tunnel-group SOME_OTHER_NAME general-attributes
bsns-asa5520-10(config-tunnel-general)# default-group-policy SOME_NAME

0 Helpful

snuwan.es
Level 1
Level 1
In response to Marcin Latosiewicz

‎09-25-2010 01:41 AM

##group-policy group_policy_aa >> NOT WORKED>> "incomplete command"

bsns-asa5520-10(config)# group-policy SOME_NAME ?

YES

I really appreciate your great help this .. I would be honestly thank full if you post the corrected entire L2TP commands for the VPN, then I can easily identify what wrong is here and what is right…

Again thanks a lot !

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to snuwan.es

‎09-25-2010 01:49 AM

Mate, I don't have a configuration on any lab device, nor do I have the time to do so.

There are probably hundered of configuration examples like this one:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml#configuringthemicrosoftserverwithias

The only difference is that you will need to adapt it to your setup - for exempla not using radius for authentication, adjust it to use SHA instead of MD5 and minor changes in tunnel-group types.

If in doubt please refer to command reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/cmd_ref.html

Marcin

0 Helpful
Customers Also Viewed These Support Documents