Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
0
Helpful
2
Replies

Can't get PIX501 to answer l2tp connections from 2000/XP

sido
Level 1
Level 1

‎06-10-2002 01:48 AM - edited ‎02-21-2020 11:47 AM

-- begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Since this was posted on a public forum, it is recommeded that passwords be changed including encrypted passwords. Please refrain from posting confidential information on the site to reduce security risks involved. -- end ciscomoderator note --

Hi.. got a problem here..

I'm setting up two PIX501 with a l2tp connection between them, this part i got running in no time.

But when i try to configure one of them to also accept l2tp connections from the built in VPN client in Win2k/XP I can't figure out why it's not answering..

Can anyone help me??

This is my config file without the PIXtoPIX part:

: Saved

:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password --moderator edit-- encrypted

passwd --moderator edit-- encrypted

hostname --moderator edit--

domain-name lokalnett.hinfo.no

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 90 permit ip 10.1.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 90 permit ip 10.1.1.0 255.255.255.0 192.168.6.0 255.255.255.0

pager lines 23

interface ethernet0 10baset

interface ethernet1 10full

icmp permit 192.168.5.0 255.255.255.0 inside

mtu outside 1500

mtu inside 1500

ip address outside --moderator edit-- 255.255.255.0

ip address inside 192.168.5.10 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-pool 10.1.1.1-10.1.1.254

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 192.168.5.1 255.255.255.255 inside

pdm location 192.168.5.2 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 --moderator edit-- 1

route outside 10.1.1.0 255.255.255.0 10.1.1.1 1

route outside 192.168.6.0 255.255.255.0 --moderator edit-- 2

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server RADIUS protocol radius

aaa-server hinfo protocol radius

aaa-server hinfo (inside) host 192.168.5.50 test timeout 10

aaa authentication include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 hinfo

aaa authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 hinfo

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.5.1 255.255.255.255 inside

http 192.168.5.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server outside --moderator edit-- ciscoconfig.txt

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-l2tp

no sysopt route dnat

crypto ipsec transform-set basic esp-des esp-md5-hmac

crypto ipsec transform-set basic mode transport

crypto dynamic-map cisco 4 set transform-set basic

crypto map tilkontor 20 ipsec-isakmp dynamic cisco

crypto map tilkontor interface outside

isakmp enable outside

isakmp key test address --moderator edit-- netmask 255.255.255.255

isakmp key test address --moderator edit-- netmask 255.255.255.0

isakmp key test address --moderator edit-- netmask 255.255.255.0

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption des

isakmp policy 9 hash sha

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin l2tp

vpdn group 1 ppp authentication pap

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 client configuration dns 192.168.5.50

vpdn group 1 client configuration wins 192.168.5.50

vpdn group 1 client authentication aaa hinfo

vpdn group 1 client accounting hinfo

vpdn group 1 l2tp tunnel hello 60

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:1de641f15482cd9ffd061893517be20d

: end

and this is the working config for PIXtoPIX vpn (with some NOT working vpdn stuff):

: Saved

:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password --moderator edit-- encrypted

passwd --moderator edit-- encrypted

hostname hinfopix1

domain-name lokalnett.hinfo.no

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 90 permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list 90 permit ip 10.1.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 90 permit ip 192.168.5.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 90 permit ip 192.168.6.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 90 permit ip 10.1.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list 90 permit ip host --moderator edit-- host --moderator edit--

access-list acl_out permit tcp any host --moderator edit-- eq telnet

access-list acl_out permit ip 192.168.5.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 70 permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0

pager lines 20

interface ethernet0 10baset

interface ethernet1 10full

icmp permit 192.168.5.0 255.255.255.0 inside

mtu outside 1500

mtu inside 1500

ip address outside --moderator edit-- 255.255.255.0

ip address inside 192.168.5.10 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-pool 10.1.1.1-10.1.1.254

ip local pool loclapool 192.168.7.1

ip local pool localpool 192.168.2.1

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 192.168.5.1 255.255.255.255 inside

pdm location 192.168.5.2 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 --moderator edit-- 1

route outside 10.1.1.0 255.255.255.0 10.1.1.1 1

route outside 192.168.6.0 255.255.255.0 --moderator edit-- 2

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server hinfo protocol radius

aaa-server hinfo (inside) host 192.168.5.50 test timeout 10

aaa authentication include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 hinfo

aaa authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 hinfo

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.5.1 255.255.255.255 inside

http 192.168.5.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server outside --moderator edit-- ciscoconfig.txt

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-l2tp

no sysopt route dnat

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto ipsec transform-set basic esp-des esp-md5-hmac

crypto ipsec transform-set basic mode transport

crypto dynamic-map cisco 4 set transform-set basic

crypto map tilkontor 20 ipsec-isakmp

crypto map tilkontor 20 match address 90

crypto map tilkontor 20 set peer --moderator edit--

crypto map tilkontor 20 set transform-set strong

crypto map tilkontor 21 ipsec-isakmp dynamic cisco

crypto map tilkontor interface outside

isakmp enable outside

isakmp key test address --moderator edit-- netmask 255.255.255.255

netmask 255.255.255.0

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash sha

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin l2tp

vpdn group 1 ppp authentication mschap

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 client configuration dns 192.168.5.50

vpdn group 1 client configuration wins 192.168.5.50

vpdn group 1 client authentication aaa hinfo

vpdn group 1 client accounting hinfo

vpdn group 1 l2tp tunnel hello 60

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:1de641f15482cd9ffd061893517be20d

: end

what am i doing wrong????

Labels:
0 Helpful
2 Replies 2

ciscomoderator
Community Manager
Community Manager

‎06-15-2002 02:53 PM

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

0 Helpful

smunzani
Level 1
Level 1
In response to ciscomoderator

‎07-22-2002 06:25 AM

If you ever got your problems resolved with TAC help, please post the solution. It might benefit to many others.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents