Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
0
Helpful
8
Replies

ASA5510 Remote access question

Go to solution
rvr_76bg
Level 1
Level 1

‎07-23-2008 12:56 AM - edited ‎02-21-2020 03:50 PM

Hello guys,

I have to configure an ASA 5510 as Remote access server for Windows XP machines. I tried to configure it with L2TP and IPSec but didnt work. I was reffered to a correct document by a member of this forum (appriciated) but it seems the XP machines dont like L2TP and they accept PPTP easier. Can anyone reffer me to a document how to configure ASA5510 Remote access with PPTP. I checked the device and didnt see any option for using PPTP instead of L2TP. Thank you guys in advance.

Regards,

rvr

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.alekseev
Level 7
Level 7
In response to rvr_76bg

‎07-23-2008 05:22 AM

!--- Identifies the IPsec encryption and hash algorithms

!--- to be used by the transform set.

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

!--- Since the Windows 2000 L2TP/IPsec client uses IPsec transport mode,

!--- set the mode to transport.

!--- The default is tunnel mode.

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

!--- Specifies the transform sets to use in a dynamic crypto map entry.

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

!--- Requires a given crypto map entry to refer to a pre-existing

!--- dynamic crypto map.

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

!--- Applies a previously defined crypto map set to an outside interface.

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp nat-traversal 20

!--- Specifies the IKE Phase I policy parameters.

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!--- Creates a tunnel group with the tunnel-group command, and specifies the local

!--- address pool name used to allocate the IP address to the client.

!--- Associate the AAA server group (VPN) with the tunnel group.

tunnel-group DefaultRAGroup general-attributes

address-pool clientVPNpool

authentication-server-group vpn

!--- Link the name of the group policy to the default tunnel

!--- group from tunnel group general-attributes mode.

default-group-policy DefaultRAGroup

!--- Use the tunnel-group ipsec-attributes command

!--- in order to enter the ipsec-attribute configuration mode.

!--- Set the pre-shared key.

!--- This key should be the same as the key configured on the Windows machine.

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

!--- Configures the PPP authentication protocol with the authentication type

!--- command from tunnel group ppp-attributes mode.

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

View solution in original post

0 Helpful
8 Replies 8

Go to solution
rvr_76bg
Level 1
Level 1
In response to a.alekseev

‎07-23-2008 01:47 AM

I configred the ASA and the XP machine following the document but it didnt work.

I enabled crypto ipsec debugging during my tests and it seemed not traffic hit the ASA whe I tried from the XP machine.

I tried yestrerday with PIX501 and at least I got traffic on the PIX, error was:

IPSEC(validate_transform_proposal): proxy identities not supported.

The section that says I have to configure IP security policy on the XP machine to match the one on the ASA is not that clear for me.

regards,

0 Helpful

Go to solution
a.alekseev
Level 7
Level 7
In response to rvr_76bg

‎07-23-2008 01:56 AM

debug crypto isakmp 255

debug crypto ipsec 255

0 Helpful

Go to solution
rvr_76bg
Level 1
Level 1
In response to a.alekseev

‎07-23-2008 03:21 AM

Hello again,

It seems like the IPSec is not negotiated at all. I put the commands above and I got only ISAMKP output. Please see the document attached and give me your opinion what I am missing.

Preview file
6 KB
0 Helpful

Go to solution
a.alekseev
Level 7
Level 7
In response to rvr_76bg

‎07-23-2008 03:24 AM

Jul 23 11:14:27 [IKEv1]: IP = 212.36.10.183, No crypto map bound to interf

dropping pkt

it should be the answer...

Bound crypto map to the interface.

0 Helpful

Go to solution
rvr_76bg
Level 1
Level 1
In response to a.alekseev

‎07-23-2008 04:40 AM

Do I really need a crypto map for Remote access? I have noticed that no IPSec rule was created when I followed the document for Remote access configuration. Do I have to have IPSec rule??

regards

0 Helpful

Go to solution
a.alekseev
Level 7
Level 7
In response to rvr_76bg

‎07-23-2008 05:22 AM

!--- Identifies the IPsec encryption and hash algorithms

!--- to be used by the transform set.

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

!--- Since the Windows 2000 L2TP/IPsec client uses IPsec transport mode,

!--- set the mode to transport.

!--- The default is tunnel mode.

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

!--- Specifies the transform sets to use in a dynamic crypto map entry.

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

!--- Requires a given crypto map entry to refer to a pre-existing

!--- dynamic crypto map.

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

!--- Applies a previously defined crypto map set to an outside interface.

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp nat-traversal 20

!--- Specifies the IKE Phase I policy parameters.

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!--- Creates a tunnel group with the tunnel-group command, and specifies the local

!--- address pool name used to allocate the IP address to the client.

!--- Associate the AAA server group (VPN) with the tunnel group.

tunnel-group DefaultRAGroup general-attributes

address-pool clientVPNpool

authentication-server-group vpn

!--- Link the name of the group policy to the default tunnel

!--- group from tunnel group general-attributes mode.

default-group-policy DefaultRAGroup

!--- Use the tunnel-group ipsec-attributes command

!--- in order to enter the ipsec-attribute configuration mode.

!--- Set the pre-shared key.

!--- This key should be the same as the key configured on the Windows machine.

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

!--- Configures the PPP authentication protocol with the authentication type

!--- command from tunnel group ppp-attributes mode.

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

0 Helpful

Go to solution
rvr_76bg
Level 1
Level 1
In response to a.alekseev

‎07-23-2008 05:54 AM

Thank you. It is resolved.

regards,

rvr

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents