L2TP VPN on a Pix 506e

iangilbert · ‎04-03-2007

I've been trying to configure an L2TP VPN for our company remote employees to use VPN in hotels around the world as the Cisco VPN ports are often blocked.

I've used Cisco's own L2TP examples, and examples from various forums. All have the same response: The external PC gets an ARP reply from the PIX but nothing else when trying to connect. (Our 2nd PIX using Cisco VPN works fine)

Below is the important bits of the running config. Can anyone tell me the (probably obvious) thing I have missed or done to stop it working.

Thanks

----PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

no fixup protocol sqlnet 1521

fixup protocol tftp 69

name 10.4.0.0 l2tppool

access-list l2tp permit udp host 217.x.x.91 any eq 1701

access-list nonat permit ip l2tppool 255.255.0.0 any

logging console debugging

ip address outside 217.x.x.91 255.255.255.192

ip address inside 10.0.0.10 255.224.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool l2tp 10.4.1.51-10.4.1.99

nat (inside) 0 access-list nonat

route outside 0.0.0.0 0.0.0.x.x.123.91 1

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host 10.0.0.8 awdth8^. timeout 5

aaa-server LOCAL protocol local

snmp-server community public

floodguard enable

sysopt connection tcpmss 0

sysopt connection permit-ipsec

sysopt connection permit-l2tp

crypto ipsec transform-set l2tp esp-des esp-md5-hmac

crypto ipsec transform-set l2tp mode transport

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map dyna 20 match address l2tp

crypto dynamic-map dyna 20 set transform-set l2tp

crypto map mymap 10 ipsec-isakmp dynamic dyna

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

ca identity beattock 10.0.0.3:/certsrv/mscep/mscep.dll

ca configure beattock ra 1 20 crloptional

vpdn group l2tpipsec accept dialin l2tp

vpdn group l2tpipsec ppp authentication chap

vpdn group l2tpipsec ppp authentication mschap

vpdn group l2tpipsec client configuration address local l2tp

vpdn group l2tpipsec client configuration dns 10.0.0.3 10.0.0.8

vpdn group l2tpipsec client configuration wins 10.0.0.8

vpdn group l2tpipsec client authentication aaa RADIUS

vpdn group l2tpipsec client accounting RADIUS

vpdn group l2tpipsec l2tp tunnel hello 60

vpdn enable outside

ggilbert · ‎04-03-2007

Take this command out

crypto dynamic-map dyna 20 match address l2tp

Let me know if that works out.

Cheers

Gilbert

ggilbert · ‎04-03-2007

access-list nonat permit ip l2tppool 255.255.0.0 any

this should be

access-list nonat per ip mask l2tppool 255.255.0.0