Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

L2tp over ASA Version 9.2(2)4

 Hi

i config l2tp /ipsec over ASA Version 9.2(2)4 , i have error 789.please check my configuration.

thanks

:

ASA Version 9.2(2)4

!

hostname VPNGateway3

enable password xxxx

passwd  xxx  encrypted

names

ip local pool AnyConnect_Address_Poolx.x.x.x

!

interface GigabitEthernet0/0

 nameif Outside

 security-level 0

 ip address 10.7.7.27 255.255.255.248

              

!

interface GigabitEthernet0/1

 nameif Inside

 security-level 100

 ip address 192.168.108.10 255.255.255.192

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

             

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/6

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/7

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 management-only

 nameif management

 security-level 100

 ip address 192.168.30.181 255.255.255.224

!

             

mtu Inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-722.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (Inside,Inside) source static any any destination static NETWORK_OBJ_172.17.80.0_20 NETWORK_OBJ_172.17.80.0_20 no-proxy-arp route-lookup

!

object network AnyConnect_NAT

 nat (any,Outside) dynamic interface

access-group Outside in interface Outside

access-group Inside_access_in in interface Inside

             

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ut_AAA protocol radius

 accounting-mode simultaneous

 interim-accounting-update periodic 1

aaa-server ut_AAA (Outside) host 192.168.112.29

 key *****

 authentication-port 1812

 accounting-port 1813

 radius-common-pw *****

 no mschapv2-capable

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.30.173 255.255.255.255 management

http redirect Inside 80

http redirect Outside 80

http redirect management 80

snmp-server group Authentication_Only v3 auth

snmp-server user utic_monitor Authentication_Only v3 encrypted auth md5 d9:2e:e5:79:7d:cb:d4:85:d4:d2:1f:45:63:52:02:0f

snmp-server host Inside 194.225.0.40 community *****

snmp-server host Inside 194.225.0.153 version 3 utic_monitor

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

             

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

             

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS

crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Inside_map interface Inside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 subject-name CN=VPNGateway3

 proxy-ldc-issuer

 crl configure

crypto ca trustpoint LOCAL-CA-SERVER

 keypair LOCAL-CA-SERVER

 crl configure

crypto ca trustpoint ASDM_TrustPoint3

 crl configure

crypto ca trustpoint ASDM_TrustPoint4

 crl configure

crypto ca trustpoint ASDM_TrustPoint5

 crl configure

crypto ca trustpoint ASDM_TrustPoint6

             

 crl configure

crypto ca trustpoint ASDM_TrustPoint7

 crl configure

crypto ca trustpoint ASDM_TrustPoint2

 enrollment terminal

 crl configure

crypto ca trustpoint ASDM_TrustPoint10

 crl configure

crypto ca trustpoint ASDM_TrustPoint11

 crl configure

crypto ca trustpoint ASDM_TrustPoint12

 crl configure

crypto ca trustpoint ASDM_TrustPoint13

 crl configure

crypto ca trustpoint ASDM_TrustPoint14

 crl configure

crypto ca trustpoint ASDM_TrustPoint15

 crl configure

crypto ca trustpoint ASDM_TrustPoint16

 crl configure

crypto ca trustpoint ASDM_TrustPoint17

 crl configure

crypto ca trustpoint ASDM_TrustPoint1

 keypair ASDM_TrustPoint1

             

 crl configure

crypto ca trustpoint ASDM_TrustPoint8

 enrollment terminal

 crl configure

crypto ca trustpoint ASDM_TrustPoint9

 enrollment terminal

 crl configure

crypto ca trustpool policy

crypto ca server

crypto ca certificate chain ASDM_TrustPoint0

 

crypto ikev2 policy 1

 encryption aes-256

 integrity sha

 group 5 2

 prf sha

             

 lifetime seconds 86400

crypto ikev2 policy 10

 encryption aes-192

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 30

 encryption 3des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption des

 integrity sha

 group 5 2

 prf sha

             

 lifetime seconds 86400

crypto ikev2 enable Inside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint1

crypto ikev1 enable Inside

crypto ikev1 policy 10

 authentication crack

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 20

 authentication rsa-sig

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 30

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 40

 authentication crack

             

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 50

 authentication rsa-sig

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 60

 authentication pre-share

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 70

 authentication crack

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 80

 authentication rsa-sig

             

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 90

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 100

 authentication crack

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 110

 authentication rsa-sig

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 120

 authentication pre-share

             

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 130

 authentication crack

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 140

 authentication rsa-sig

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 150

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

tls-proxy maximum-session 1000

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint1 Inside vpnlb-ip

ssl trust-point ASDM_TrustPoint1 Inside

webvpn

 enable Outside

             

 enable Inside

 anyconnect-essentials

 anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 3

 anyconnect image disk0:/anyconnect-linux-3.1.04066-k9.pkg 4

 anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 5

 anyconnect image disk0:/anyconnect-linux-64-3.1.04066-k9.pkg 6

 anyconnect enable

 tunnel-group-list enable

 ssl-server-check warn-on-failure

group-policy ut_GroupPolicy internal

group-policy ut_GroupPolicy attributes

 wins-server none

 dns-server value 194.225.0.14

 vpn-simultaneous-logins 1

 vpn-idle-timeout 5

 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

 split-tunnel-policy excludespecified

 split-tunnel-network-list value ut

 default-domain value ut.ac.ir

 address-pools value AnyConnect_Address_Pool

 webvpn

  anyconnect ssl keepalive 15

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

             

 dns-server value 194.225.0.14

 vpn-tunnel-protocol l2tp-ipsec

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

 dns-server value 194.225.0.14

 vpn-tunnel-protocol l2tp-ipsec

group-policy DfltGrpPolicy attributes

 split-tunnel-network-list value ut

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

 wins-server none

 dns-server value 4.2.2.4

 vpn-tunnel-protocol ikev2 ssl-client

 default-domain value ut.ac.ir

group-policy ClientLess_GroupPolicy internal

group-policy ClientLess_GroupPolicy attributes

 banner value Welcome To University of Tehran

 banner value Welcome To University of Tehran

 wins-server none

 dns-server value 4.2.2.4

 vpn-tunnel-protocol ssl-clientless

 split-tunnel-policy excludespecified

 split-tunnel-network-list value ut

 default-domain value ut.ac.ir

             

 webvpn

  url-entry enable

group-policy AnyConnect_GroupPolicy internal

group-policy AnyConnect_GroupPolicy attributes

 wins-server none

 dns-server value 4.2.2.4

 vpn-simultaneous-logins 1

 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

 split-tunnel-policy excludespecified

 split-tunnel-network-list value ut

 default-domain value ut.ac.ir

 address-pools value AnyConnect_Address_Pool

 

service-type nas-prompt

service-type nas-prompt

tunnel-group DefaultRAGroup general-attributes

 address-pool AnyConnect_Address_Pool

 authentication-server-group ut_AAA

 default-group-policy DefaultRAGroup_1

             

tunnel-group DefaultRAGroup ipsec-attributes

 ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

 authentication ms-chap-v2

tunnel-group ClientLess_ConnectionProfile type remote-access

tunnel-group ClientLess_ConnectionProfile general-attributes

 authorization-server-group ut_AAA

 default-group-policy ClientLess_GroupPolicy

tunnel-group ClientLess_ConnectionProfile webvpn-attributes

 group-alias SSL_Access disable

 group-alias zSSL_Access enable

 group-url https://192.168.108.11/SSL_Access enable

tunnel-group AnyConnect_ConnectionProfile type remote-access

tunnel-group AnyConnect_ConnectionProfile general-attributes

 authorization-server-group LOCAL

 default-group-policy AnyConnect_GroupPolicy

tunnel-group AnyConnect_ConnectionProfile webvpn-attributes

 group-alias AnyConnect_Access disable

 group-alias ut_AnyConnect_Access disable

 group-alias zAnyConnect_Access enable

 group-url https://192.168.108.10/AnyConnect_Access enable

tunnel-group ut_connectionprofile type remote-access

tunnel-group ut_connectionprofile general-attributes

 authentication-server-group ut_AAA

             

 authorization-server-group ut_AAA

 accounting-server-group ut_AAA

 default-group-policy ut_GroupPolicy

tunnel-group ut_connectionprofile webvpn-attributes

 group-alias Access disable

 group-alias ut_Access enable

 group-url https://192.168.108.10/ut_access enable

tunnel-group ut_connectionprofile ppp-attributes

 authentication pap

 authentication ms-chap-v2

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

             

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:be6bb333c86f273e75ad9f1af63b555e

: end

 

 

  • AAA Identity and NAC
148
Views
0
Helpful
0
Replies