04-08-2011 12:35 PM
I'm trying to setup a L2TP over IPSEC vpn connection on a PIX 501 that will use key sharing. In addition, I have a PPTP connection setup which allows connectivity. Two things, the L2TP vpn client I am using does not connect and times out. The second is that the PPTP client I use does connect, but cannot ping any resources on the network.
The config on the PIX is below:
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password tdkuTUSh53d2MT6B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname attdslpix2
domain-name mycompany.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 172.26.5.192 255.255.255.248
access-list outside_access_in permit udp any any eq 4500
access-list outside_access_in permit udp any any eq isakmp
access-list outside_access_in permit icmp any any
access-list splittunnel permit ip 172.26.0.0 255.255.0.0 172.26.0.0 255.255.0.0
access-list TLC_splitTunnelAcl permit ip 172.26.0.0 255.255.0.0 any
pager lines 24
logging on
logging standby
mtu outside 1500
mtu inside 1500
ip address outside 70.x.x.x 255.255.255.248
ip address inside 172.26.0.249 255.255.0.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-client-ip 172.26.5.195-172.26.5.199
ip local pool l2tp-client-ip 172.26.7.100-172.26.7.199
pdm location 172.26.5.192 255.255.255.248 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 70.x.x.y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.26.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map l2tp 30 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map map1 30 ipsec-isakmp dynamic l2tp
crypto map map1 interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp nat-traversal 20
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup TLC address-pool pptp-client-ip
vpngroup TLC dns-server 172.26.0.250 172.26.0.251
vpngroup TLC split-tunnel splittunnel
vpngroup TLC idle-time 1800
vpngroup TLC password ********
telnet 172.26.0.0 255.255.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local pptp-client-ip
vpdn group PPTP-VPDN-GROUP client configuration dns 172.26.0.250 172.26.0.251
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn group L2TP-VPDN-GROUP accept dialin l2tp
vpdn group L2TP-VPDN-GROUP ppp authentication pap
vpdn group L2TP-VPDN-GROUP client configuration address local l2tp-client-ip
vpdn group L2TP-VPDN-GROUP client configuration dns 172.26.0.250 172.26.0.251
vpdn group L2TP-VPDN-GROUP client configuration wins 172.26.0.250 172.26.0.251
vpdn group L2TP-VPDN-GROUP client authentication local
vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60
vpdn username user1 password *********
vpdn username user2 password *********
vpdn enable outside
vpdn enable inside
dhcpd address 172.26.5.100-172.26.5.130 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:007a9f1d72e4f1d3bb75c4e68525eb30
: end
[OK]
04-09-2011 07:01 PM
For the IP Pools, please configure subnet which is unique, ie: is not part of your internal subnet. Currently your internal subnet is 172.26.0.0/16, and the
IP Pool subnet is in the same major subnet as your internal subnet.
Please change it to other unique subnet, eg: 192.168.5.0/24 for example.
Once you change that accordingly, you would need to change the following 2 ACL too accordingly to the new pool subnet:
access-list splittunnel permit ip 172.26.0.0 255.255.0.0 172.26.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip any 172.26.5.192 255.255.255.248
For example, if you change the pool to 192.168.5.0/24:
access-list splittunnel permit ip 172.26.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.26.0.0 255.255.0.0 192.168.5.0 255.255.255.0
PPTP user should be able to access the internal resources after the above changes.
For the L2TP over IPSec, please kindly advise where it's failing by running debugs (as we need to determine whether it's failing on IPSec Phase 1 (ISAKMP), or IPSec Phase 2 (IPSec) or L2TP since it's L2TP over IPsec, the IPSec tunnel needs to be up first before L2TP connection):
debug cry isa
debug cry ipsec
Also "show cry isa sa" and "show cry ipsec sa".
04-13-2011 09:56 AM
I am now using an ASA 5505 and not the PIX 501 for L2TP vpn client access. The ASA 5505 works fine. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide