Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco PIX 515E L2TP over IPSec help ???

Hi friends... I'm stuck with L2TP IPSec VPN configuration. I have Googled some days but didn't able to get any helpful tips and get this working.

Below is my script and when I'm trying to log below logs can be found;

Logs:

%PIX-3-710003: TCP access denied by ACL from 1x4.4x.5.1x6/51217 to outside:xxx.xxx.xxx.2/443
%PIX-3-710003: TCP access denied by ACL from 1x4.4x.5.1x6/51217 to outside:xxx.xxx.xxx.2/443
%PIX-3-710003: TCP access denied by ACL from 1x4.4x.5.1x6/51217 to outside:xxx.xxx.xxx.2/443

1x4.4x.5.1x6 = VPN Client IP

Cisco Configuration:

FIRE1(config)# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname FIRE1
domain-name company.local
enable password HlKVWtGMbhq33V/X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.2 255.255.255.224
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
ospf cost 10
!
interface Ethernet2
description LAN/STATE Failover Interface
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name company.local
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192
access-list 110 extended permit tcp any host xxx.xxx.xxx.28 eq 3389
access-list 110 extended permit tcp any host xxx.xxx.xxx.8 eq ftp
access-list 110 extended permit tcp any host xxx.xxx.xxx.8 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.8 eq 3389
access-list 110 extended permit tcp any host xxx.xxx.xxx.10 eq 3389
access-list 110 extended permit tcp any host xxx.xxx.xxx.14 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.15 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.16 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.18 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.9 eq https
access-list 110 extended permit tcp any host xxx.xxx.xxx.9 eq smtp
access-list 110 extended permit tcp any host xxx.xxx.xxx.9 eq pop3
access-list 110 extended permit tcp any host xxx.xxx.xxx.20 eq 8080
access-list 110 extended permit tcp any host xxx.xxx.xxx.20 eq 8081
access-list 110 extended permit tcp any host xxx.xxx.xxx.21 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.19 eq 8080
access-list 110 extended permit tcp any host xxx.xxx.xxx.23 eq www
access-list 110 extended permit tcp any host xxx.xxx.xxx.13 eq www
pager lines 24
logging console warnings
logging monitor warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN-POOL1 192.168.3.1-192.168.3.50 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.25-xxx.xxx.xxx.26 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xxx.xxx.xxx.19 8080 192.168.2.69 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.22 www 192.168.2.82 8080 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.13 www 192.168.2.83 4000 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.8 192.168.2.47 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.10 192.168.2.90 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.14 192.168.2.81 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.15 192.168.2.11 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.16 192.168.2.68 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.18 192.168.2.111 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.9 192.168.2.14 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.20 192.168.2.13 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.21 192.168.2.112 netmask 255.255.255.255
static (inside,inside) 192.168.220.0 192.168.220.0 netmask 255.255.255.0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
route inside 192.168.220.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES-MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.2.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.14
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value company.local
username testing password q/VM1nA1RWbzHiqrsIJF4g== nt-encrypted privilege 0
username testing attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL1
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d69b3fced49e5a9b8e17df7c088bd7b2
: end
FIRE1(config)#

17 REPLIES
Cisco Employee

Re: Cisco PIX 515E L2TP over IPSec help ???

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html#wp1074591

This has worked for me in the past.

Where are you trying to connect from ie. what is the client - please note that everything over XP might not support MD5 and you're missing authentication methods.

HTH,

Marcin

New Member

Re: Cisco PIX 515E L2TP over IPSec help ???

Is above link should work for PIX 515E with PIX Version 8.0(4) as well  ?

Thanks !

Cisco Employee

Re: Cisco PIX 515E L2TP over IPSec help ???

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219

PIX 8.0 and ASA 8.0 code both should have same capabilities ;-)

If you don't trust me, google for configuration guide for PIX.

Marcin

New Member

Re: Cisco PIX 515E L2TP over IPSec help ???

thanks a lot Marcin: I'll post the results withini next hour !

Cisco Employee

Re: Cisco PIX 515E L2TP over IPSec help ???

You still didn't share which client you're using, and if other might be working OK?

has this setup ever worked?

Marcin

New Member

Re: Cisco PIX 515E L2TP over IPSec help ???

Nope this is the initial deployment, they want to use this for Windows VPN Client and they expect to connect using Windows XP/Windows 7 etc...

Cisco Employee

Re: Cisco PIX 515E L2TP over IPSec help ???

Cool,

if you see an error when connecting - I would first all make a screenshot, and debug:

deb cry isa 100

deb crypto ipsec 100

on the PIX.

Marcin

New Member

Re: Cisco PIX 515E L2TP over IPSec help ???

tat's example is on authenticating on RADIUS server ??  i need to do it by local users, please advise and thanks

"aaa-server sales_server protocol radius"

Cisco Employee

Re: Cisco PIX 515E L2TP over IPSec help ???

Jest set local authentication (default) ;-)

I believe you have your user properly added before ...

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046114

"username cisco password cisco mschap"

New Member

Re: Cisco PIX 515E L2TP over IPSec help ???

hi.. now I'm confused with diferent articles....

can you please grab me only the nessary commands for L2TP over IPSec ?? I tried but I think it's duplicated at last....

I need to authenticate local users, initially please add a user "testing" and Windows XP and Windows 7 Clients should be able to log in.

thanks a lot for your valuable time !

Cisco Employee

Re: Cisco PIX 515E L2TP over IPSec help ???

Mate,

Scratch all the things you've done up to now and start with this:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219

If you need to add a user please do it based on how they did it here:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046114 (Step 10.)

The command are there and listed, your interaction needed will be to change the PSK and username and password + adding step 11.

Marcin

New Member

Re: Cisco PIX 515E L2TP over IPSec help ???

cleaned up everything but i can't remove below

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto isakmp nat-traversal

how do I remove ??

tnx !

however below is what I put newly, it gave me the same results which I posted initially... please help..

ip local pool aa_pool1 192.168.33.1-192.168.33.50 mask 255.255.255.0
tunnel-group DefaultRAGroup general-attributes
address-pool aa_pool1

tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key hEllo

username testing password password mschap

tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2

crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp identity auto
crypto isakmp enable outside

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 3600

l2tp tunnel hello 100

group-policy aa_policy internal
group-policy aa_policy attributes
dns-server value 192.168.2.14
vpn-tunnel-protocol ipsec l2tp-ipsec

tunnel-group aa_tunnel type remote-access
tunnel-group aa_tunnel general-attributes
address-pool aa_addresses
authentication-server-group none
accounting-server-group aa_server
default-group-policy aa_policy

Cisco Employee

Re: Cisco PIX 515E L2TP over IPSec help ???

It seems we're going the right direction ;-)

The logs you pointed out initially is a user trying to access HTTPS service on ASA - nothing to do with L2tp.

I told you which debugs to get to confirm if the issues is with IPsec.

As stated in docs - the only default tunnel-group should be used.

You can bind group-policy to default one as you did with your  aa_tunnel tunnel-group.

Please go over the doc :-)

Marcin

New Member

Re: Cisco PIX 515E L2TP over IPSec help ???

hmm second time also faild, please help, below is the new commands I have entered but some are not accepted;

ip local pool aa_pool1 192.168.3.1-192.168.3.50 mask 255.255.255.0
tunnel-group DefaultRAGroup general-attributes
address-pool aa_pool1

tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key hEllo

tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2

crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set set trans >> NOT WORK BUT THIS WORKED >>  crypto dynamic-map dyno 10 set transform-set trans

crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp identity auto
crypto isakmp enable outside

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 3600

tunnel-group DefaultRAGroup type ipsec-ra >> NOT WORKED

ERROR: % Invalid input detected at '^' marker. ('^' was below to the "type")

username testing password password mschap
username testing attributes
vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes
group-policy group_policy_aa >> NOT WORKED>> "incomplete command"
authentication-server-group LOCAL

l2tp tunnel hello 30

crypto isakmp enable >> NOT WORKED>> "incomplete command"
crypto isakmp nat-traversal 30

group-policy group_policy_aa attributes
dns value 192.168.1.1
wins-server 192.168.1.1

access-list 110 extended permit ip any any

Cisco Employee

Re: Cisco PIX 515E L2TP over IPSec help ???

group-policy group_policy_aa >> NOT WORKED>> "incomplete command"

bsns-asa5520-10(config)# group-policy SOME_NAME ?

configure mode commands/options:
  external  Enter this keyword to specify an external group policy
  internal  Enter this keyword to specify an internal group policy

For a new policy you need to define if it's internal or external. Internal is what you're looking for.

> tunnel-group DefaultRAGroup type ipsec-ra >> NOT WORKED

tunnel-group DefaultRAGroup <---- is already defined, why are you trying to define the type again?

> crypto isakmp enable >> NOT WORKED>> "incomplete command"


You have it already enabled! "crypto isakmp enable outside"

Please note that you will have to bind the default RA tunnel-group with whichever group-policy you configure.

Example:

bsns-asa5520-10(config)# tunnel-group SOME_OTHER_NAME general-attributes
bsns-asa5520-10(config-tunnel-general)# default-group-policy SOME_NAME

New Member

Re: Cisco PIX 515E L2TP over IPSec help ???

##group-policy group_policy_aa >> NOT WORKED>> "incomplete command"

bsns-asa5520-10(config)# group-policy SOME_NAME ?

YES

I really appreciate your great help this .. I would be honestly thank full if you post the corrected entire L2TP commands for the VPN, then I can easily identify what wrong is here and what is right…

Again thanks a lot !

Cisco Employee

Re: Cisco PIX 515E L2TP over IPSec help ???

Mate, I don't have a configuration on any lab device, nor do I have the time to do so.

There are probably hundered of configuration examples like this one:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml#configuringthemicrosoftserverwithias

The only difference is that you will need to adapt it to your setup - for exempla not using radius for authentication, adjust it to use SHA instead of MD5 and minor changes in tunnel-group types.

If in doubt please refer to command reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/cmd_ref.html

Marcin

1701
Views
0
Helpful
17
Replies