Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4888
Views
0
Helpful
12
Replies

LT2P on PIX Version 7

Go to solution
paulhughes5
Level 1
Level 1

‎06-30-2011 07:36 AM

Hello

I am trying to set up an L2TP VPN server on my PIX to replace a PPTP server running on a router.

I've followed a few guides (although most seem to be for 6.3.x) and used what limited knowledge I have of VPN config on a PIX but I"m still coming up agains some issues.

I have the debug details which I'm hoping someone can use to point me in the right direction.

Jun 30 11:38:54 [IKEv1]: IP = 84.93.217.110, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing ke payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing ISA_KE payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing nonce payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing ke payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing nonce payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing Cisco Unity VID payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing xauth V6 VID payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Send IOS VID
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing VID payload
Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Can't find a valid tunnel group, aborting...!
Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, IKE MM Responder FSM error history (struct &0x42ed788)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, IKE SA MM:87377a60 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, sending delete/delete with reason message
Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Removing peer from peer table failed, no match!
Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Error: Unable to remove PeerTblEntry

Here is my config:

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TUN_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside-dyn-map 20 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside-dyn-map 30 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside-dyn-map 40 set transform-set TUN_ESP_3DES_SHA
crypto map outside-map 20 ipsec-isakmp dynamic outside-dyn-map
crypto map outside-map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
...
group-policy VPN-Policy internal
group-policy VPN-Policy attributes
 wins-server value 10.0.1.250
 dns-server value 10.0.1.250
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value xxxx.co.uk
username xxxxxx password xxx nt-encrypted privilege 3
tunnel-group L2TP-VPN type ipsec-ra
tunnel-group L2TP-VPN general-attributes
 address-pool (Inside) L2TP-Pool
 authentication-server-group (Inside) LOCAL
 default-group-policy VPN-Policy
tunnel-group L2TP-VPN ipsec-attributes
 pre-shared-key *
tunnel-group L2TP-VPN ppp-attributes
 authentication ms-chap-v2

Thanks in advance

Paul

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
luisram2
Cisco Employee
Cisco Employee
In response to paulhughes5

‎07-01-2011 02:18 PM

Hi Paul

I do recomend you to use the dynamic maps the way I was suggesting as this is the right way to configure them on the ASA.

By default Microsoft Windows does not support L2TP connections to servers behind NAT, this is a
Microsoft limitation, not a limitation of the ASA  or any Cisco device. On the following links you can find more information on how to modify the Windows registry for it to connect to a server behind NAT, because changing the registry is dangerous for the computer this has to be done at your own risk:

http://support.microsoft.com/kb/926179
http://support.microsoft.com/kb/818043/

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Shilpa Gupta
Cisco Employee
Cisco Employee

‎06-30-2011 09:30 AM

Hi Paul,

In case of L2TP over IPSEC , you will not be able to connect to a specific tunnel-group. The connection will automatically fall on DefaultRAGroup.

So make sure that under  DefaultRAGroup,  vpn tunnel protocol,l2tp-ipsec is enabled. Also please find the link below  for reference:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml#pix

I hope it helps.

Thanks,

Shilpa

0 Helpful

Go to solution
paulhughes5
Level 1
Level 1
In response to Shilpa Gupta

‎06-30-2011 11:19 PM

Just to clarify, I'm not able to put any custom names in, both the tunnel-group and the group-policy need to be defaultRAGroup?

Is the rest of the config in the custom groups ok if I just move it to the default ones?

0 Helpful

Go to solution
paulhughes5
Level 1
Level 1
In response to paulhughes5

‎07-01-2011 01:30 AM

This is the revised config.  I havent removed the old group yet.  I have noticed I cant get tunnel-group DefaultRAGroup type ipsec-ra into the config as it says its not a valid command (yet its in the config for the other group)

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 10.0.1.250
 dns-server value 10.0.1.250
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 default-domain value hughesadp.co.uk
group-policy VPN-Policy internal
group-policy VPN-Policy attributes
 wins-server value 10.0.1.250
 dns-server value 10.0.1.250
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 default-domain value xxxx.co.uk
username xxxx password xxxx== nt-encrypted privilege 3
tunnel-group DefaultRAGroup general-attributes
 address-pool (Inside) L2TP-Pool
 authentication-server-group (Inside) LOCAL
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group L2TP-VPN type ipsec-ra
tunnel-group L2TP-VPN general-attributes
 address-pool (Inside) L2TP-Pool
 authentication-server-group (Inside) LOCAL
 default-group-policy VPN-Policy
tunnel-group L2TP-VPN ipsec-attributes
 pre-shared-key *
tunnel-group L2TP-VPN ppp-attributes
 authentication ms-chap-v2

In the log now I get

Jul 01 2011 06:09:27: %PIX-4-713903: Group = DefaultRAGroup, IP = , Freeing previously allocated memory for authorization-dn-attributes

Jul 01 2011 06:09:27: %PIX-5-713119: Group = DefaultRAGroup, IP = , PHASE 1 COMPLETED

Jul 01 2011 06:09:28: %PIX-3-713902: Group = DefaultRAGroup, IP = , QM FSM error (P2 struct &0x4313538, mess id 0xdaebabdc)!

Jul 01 2011 06:09:28: %PIX-3-713902: Group = DefaultRAGroup, IP = , Removing peer from correlator table failed, no match!

Jul 01 2011 06:09:28: %PIX-4-113019: Group = DefaultRAGroup, Username = , IP = PN-Mac, Session disconnected. Session Type: IPSec, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

Debug seems to have this line in:

[IKEv1]: Group = DefaultRAGroup, IP = 84.93.217.110, peer is not authenticated by xauth - drop connection.

I've tried to follow

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution21

but I'm not sure its the right thing as its made no difference.

0 Helpful

Go to solution
paulhughes5
Level 1
Level 1
In response to paulhughes5

‎07-01-2011 06:18 AM

Found another forum post from an ASA that said enable nat traversal which I've done and it seems to get a bit further.

I can see in the debug phase 2 completes but then I get:

[IKEv1]: Group = DefaultRAGroup, IP = 84.93.217.110, Connection terminated for peer .  Reason: Peer Terminate  Remote Proxy 84.93.217.110, Local Proxy 10.0.21.254
Jul 01 10:55:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 84.93.217.110, Active unit receives a delete event for remote peer PN-Mac.
Jul 01 10:55:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 84.93.217.110, IKE Deleting SA: Remote Proxy 84.93.217.110, Local Proxy 10.0.21.254

Any ideas?

0 Helpful

Go to solution
luisram2
Cisco Employee
Cisco Employee
In response to paulhughes5

‎07-01-2011 10:09 AM

Hi Paul,

Depending on the client you are using it could be failing because the hash is MD5, you should try to use SHA.

Also the way you have configure you dynamic maps will brake the normal VPN client connection if you using one; you should try to change your dynamic maps to look like this:

crypto dynamic-map outside-dyn-map 10 set transform-set TRANS_ESP_3DES_SHA TUN_ESP_3DES_SHA

Using the two transform sets in the same line will ensure that both types of clients could work on the PIX.

Regards,

Luis Ramirez

0 Helpful

Go to solution
paulhughes5
Level 1
Level 1
In response to luisram2

‎07-01-2011 12:29 PM

I was trying with a Macbook previously and now with a Windows 7 laptop.

I seem to get a different error with the windows one and it doesn't get past phase 1 this time.

ISAKMP Header
  Initiator COOKIE: e1 85 ab 03 b0 93 87 81
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 384
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 212
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 200
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 5
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Key Length: 256
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Key Length: 256
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 4
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      1e 2b 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61
      00 00 00 08
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      fb 1d e3 cd f3 41 b7 ea 16 b7 e5 be 08 55 f1 20
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      26 24 4d 38 ed db 61 b3 17 2a 36 e3 d0 cf b8 19
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      e3 a5 96 6a 76 37 9f e7 07 22 82 31 e5 ce 86 52
Jul 01 17:10:15 [IKEv1]: IP = 46.69.90.135, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing SA payload
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, Oakley proposal is acceptable
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, Received NAT-Traversal RFC VID
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, Received NAT-Traversal ver 02 VID
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, Received Fragmentation VID
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing IKE SA payload
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 4
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, constructing ISAKMP SA payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, constructing NAT-Traversal VID ver 02 payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, constructing Fragmentation VID + extended capabilities payload
Jul 01 17:10:15 [IKEv1]: IP = 46.69.90.135, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
0 Helpful

Go to solution
luisram2
Cisco Employee
Cisco Employee
In response to luisram2

‎07-01-2011 01:25 PM

Hi Paul

Could you please add your current configuration?

Regards,

Luis Ramirez

0 Helpful

Go to solution
paulhughes5
Level 1
Level 1
In response to luisram2

‎07-01-2011 01:33 PM

Sure:

interface Ethernet0
 nameif Outside
 security-level 0
 ip address 10.0.21.254 255.255.255.0
!
interface Ethernet1
 nameif Inside
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server Hermes
object-group network PN-Allowed
 network-object host PN-Linux
 network-object host PN-Mac
access-list acl-inside-in extended permit ip any any
access-list acl-outside-in remark *Allow 21 Network*
access-list acl-outside-in extended permit ip host Gateway any
access-list acl-outside-in remark *Allow Access to Hermes Services*
access-list acl-outside-in extended permit tcp any host Hermes eq www
access-list acl-outside-in extended permit tcp any host Hermes eq https
access-list acl-outside-in extended permit tcp object-group PN-Allowed host Hermes eq 3389
access-list acl-outside-in extended permit tcp any host Hermes eq ftp
access-list acl-outside-in extended permit tcp any host Hermes eq 4158
access-list acl-outside-in extended permit icmp any any echo-reply
access-list acl-outside-in extended permit icmp any any traceroute
access-list acl-outside-in extended permit icmp any any unreachable
access-list acl-outside-in remark *Deny All*
access-list acl-outside-in extended deny ip any any log
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging host Inside Hermes
mtu Outside 1500
mtu Inside 1500
ip local pool L2TP-Pool 10.0.1.48-10.0.1.63 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host Gateway Outside
icmp permit any Inside
no asdm history enable
arp timeout 14400
static (Outside,Inside) 10.0.21.0 10.0.21.0 netmask 255.255.255.0
static (Inside,Outside) 10.0.1.0 10.0.1.0 netmask 255.255.255.0
no threat-detection statistics tcp-intercept
access-group acl-outside-in in interface Outside
access-group acl-inside-in in interface Inside
route Outside 0.0.0.0 0.0.0.0 Gateway 1
!
router rip
 network 10.0.0.0
 redistribute connected
 version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TUN_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside-dyn-map 20 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside-dyn-map 30 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside-dyn-map 40 set transform-set TUN_ESP_3DES_SHA
crypto map outside-map 20 ipsec-isakmp dynamic outside-dyn-map
crypto map outside-map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp nat-traversal  20
telnet timeout 5
ssh PN-Mac 255.255.255.255 Outside
ssh 10.0.1.0 255.255.255.0 Inside
ssh timeout 60
console timeout 0
ntp server 212.159.13.49 source Inside prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 10.0.1.250
 dns-server value 10.0.1.250
 vpn-tunnel-protocol IPSec l2tp-ipsec
username xxxxx password xxxxx encrypted
username xxxxx attributes
 vpn-tunnel-protocol l2tp-ipsec
username xxxxxx password xxxxx encrypted privilege 15
username xxxxxx password xxxxx nt-encrypted privilege 3
username xxxxxx attributes
 vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
 address-pool (Inside) L2TP-Pool
 authentication-server-group (Inside) LOCAL
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 620
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
0 Helpful

Go to solution
luisram2
Cisco Employee
Cisco Employee
In response to paulhughes5

‎07-01-2011 01:49 PM

Hi Paul

Thanks for the configuration; I can see you did not apply the changes I suggested but I can also see that your PIX is behind a Nat device as it has a privated IP address on the outside. due to a Microsoft limitation the L2TP connection will not work.

There is a bug for this issue you can find more information on this link:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCse50772

0 Helpful

Go to solution
paulhughes5
Level 1
Level 1
In response to luisram2

‎07-01-2011 01:57 PM

Hi.

Sorry I did apply the changes you suggested but it didn't make any difference so I reverted back just to be sure that wasn't the cause of the different message I was seeing on Windows vs Mac.

The bug says fixed in 7.2(2) and I'm running 7.2(4), should this not be sorted in that release or is it not something easily fixed?

Id like to hope there is a version where it functions as removing the NAT isn't something I'm going to be able to do unless I can get additional IPs from the ISP (which I doubt).

0 Helpful

Go to solution
luisram2
Cisco Employee
Cisco Employee
In response to paulhughes5

‎07-01-2011 02:18 PM

Hi Paul

I do recomend you to use the dynamic maps the way I was suggesting as this is the right way to configure them on the ASA.

By default Microsoft Windows does not support L2TP connections to servers behind NAT, this is a
Microsoft limitation, not a limitation of the ASA  or any Cisco device. On the following links you can find more information on how to modify the Windows registry for it to connect to a server behind NAT, because changing the registry is dangerous for the computer this has to be done at your own risk:

http://support.microsoft.com/kb/926179
http://support.microsoft.com/kb/818043/

0 Helpful

Go to solution
paulhughes5
Level 1
Level 1
In response to luisram2

‎07-02-2011 01:33 PM

Ah right.  Good old MS.

Thanks for your help.  I'll have to come up with another solution, even if the reg edit works its a bit of a pain to do it on every PC I need to VPN in from.

0 Helpful
Customers Also Viewed These Support Documents