I thank you, you were very kind! after I saved your cofnigurations i have a different error, 691.

attached, debug and settings on my client vpn

Thanks!

Thanks for your quick replay.

Please try with the LOCAL database of the ASA instead of with your LDAP server.

You can follow this document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml

!--- Configure usernames and passwords on the device
!--- in addition to using AAA.
!--- If the user is an L2TP client that uses Microsoft CHAP version 1 or 
!--- version 2, and the security appliance is configured 
!--- to authenticate against the local 
!--- database, you must include the mschap keyword. 
!--- For example, username  password  mschap.


username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted

tunnel-group DefaultRAGroup general-attributes

authentication-server-group LOCAL

Please let me know.

So, I configured everything again because I needed to remotely access and have opted, for now, to connect 443 clientless.

I leave my setup, because I still have problems with access, I also tried the local authentication but does not work.

thanks again for the availability

ASA Version 8.2(5)

!

hostname FIREWALLP01

domain-name MAIOR.local

enable password xx encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 79.xx.xx.73 ROUTERP01

name 79.xx.xx.75 Pubblica_HTTP

name 79.xx.xx.76 Pubblica_VOIP

name 192.168.yy.2 SERVERP02

name 192.168.yy.3 SERVERP03

name 192.168.zz.4 SERVERP04

!

interface Ethernet0/0

nameif Pubblica_SIADSL

security-level 0

ip address 79.xx.xx.74 255.255.255.248

!

interface Ethernet0/1

nameif LAN

security-level 100

ip address 192.168.yy.254 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 98

ip address 192.168.zz.254 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup Pubblica_SIADSL

dns domain-lookup LAN

dns domain-lookup DMZ

dns domain-lookup management

dns server-group DefaultDNS

name-server SERVERP02

domain-name MAIOR.local

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service rtp udp

port-object range 9000 9049

access-list Pubblica_SIADSL_access_in extended permit udp any host Pubblica_VOIP object-group rtp

access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_VOIP eq sip

access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_HTTP eq sip

access-list LAN_nat0_outbound extended permit ip any 192.168.yy.0 255.255.255.0

pager lines 24

logging asdm informational

mtu Pubblica_SIADSL 1500

mtu LAN 1500

mtu DMZ 1500

mtu management 1500

ip local pool VPN_Pool 192.168.yy.120-192.168.yy.129 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (Pubblica_SIADSL) 1 interface

global (DMZ) 1 interface

nat (LAN) 0 access-list LAN_nat0_outbound

nat (LAN) 1 0.0.0.0 0.0.0.0

static (DMZ,Pubblica_SIADSL) Pubblica_HTTP SERVERP04 netmask 255.255.255.255

static (LAN,Pubblica_SIADSL) Pubblica_VOIP SERVERP03 netmask 255.255.255.255

access-group Pubblica_SIADSL_access_in in interface Pubblica_SIADSL

route Pubblica_SIADSL 0.0.0.0 0.0.0.0 ROUTERP01 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  url-list value Link

aaa-server SERVERP02 protocol ldap

aaa-server SERVERP02 (LAN) host SERVERP02

ldap-base-dn DC=MAIOR,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=Administrator,CN=Users,DC=MAIOR,DC=local

server-type microsoft

http server enable

http 192.168.1.0 255.255.255.0 management

http authentication-certificate management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA

crypto map Pubblica_SIADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Pubblica_SIADSL_map interface Pubblica_SIADSL

crypto isakmp enable Pubblica_SIADSL

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable Pubblica_SIADSL

enable LAN

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.yy.2

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value MAIOR.local

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol webvpn

username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_Pool

authentication-server-group SERVERP02

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group SERVERP02

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:

It's very interesting since I just reproduced it on my LAB and it worked just fine.

I did set the  Phase I policy to use SHA instead of MD5 and one single transform-set, the one in transport-mode (you can still have other transform-sets).

I also used the LOCAL database and connected with a MSCHAP account (username test pass test mschap).

It may be related to your LT2P/IPsec client, could you please make sure it is properly configured?

Please send me the following outputs during a connection attempt:

debug crypto isakmp 3

debug crypto ipsec 3

I hope to hear from you soon.

Hello, sorry to bother you again but I just can not configure the connection. I also tried to configure the AnyConnect connection but I realized you do not have the necessary licenses. : (

I have now deleted all the factory-default settings by performing and I've reconfigured the firewall with attention to all parameters to be inserted.

I followed your instructions on to SHA/MD5.

I'm trying with a PC with windows 7 x64, unfortunately I can not find an XP client to test with unother SO.

when I try to connect my client returns error 789. I have verified that this problem could be caused by the operating system, so I set the registry keys needed, but still does not work (http://support.microsoft.com/kb/926179/en-us)

I am attaching the configuration of the new (final) and the error log (as you told me I have enabled the following debug: debug crypto isakmp 3; debug crypto ipsec 3; Debub ldap 255)

the ldap qyery not start; however i think that the problem is not the authentication because the test and the clientless https web site works fine.

I hope to resolve this issue, I trust in your help

I thank you for the availability

there would be a way to chat with you via chat? in order to test this together? what is your time zone? thanks again

Hi,

And thats not a problem, I am glad to help you

Please make the following change:

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

Then try to connect and gather the same debugs.

Please keep me posted.

thanks, I made ​​the configuration that I've reported, now I have a different error.

I tried both with authentication with LDAP authentication LOCAL.

As you can see in the call to debugging LDAP authentication is not made

the client hangs on "verify user name and password"

I tried with two different settings of the client and I have two different errors

Error 628 "settings2"

Error 691 "settings1"

I thank you again for your willingness

any news about my 691 error?

Hi Raffaele,

At this point I would recommend to open a TAC case in order to check your machine settings and get this resolved ASAP.

This would be a VPN ticket.

Please let me know.

i can't open a tac support cause the appliance is buyed used so i have not a technical support contract!

this is the licensing information:

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 50

Inside Hosts                   : Unlimited

Failover                       : Disabled

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

Security Contexts              : 0

GTP/GPRS                       : Disabled

SSL VPN Peers                  : 2

Total VPN Peers                : 250

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has a Base license.