Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Getting Error 789 When Trying to Connect to L2TP VPN

Can someone take a quick look at this config and let me know why the L2TP vpn is not working?  I have been banging my head with no results.

Thanks so much if anyone can help me.

ASA Version 8.2(5)

!

hostname companyASA

domain-name *****.com

enable password encrypted

passwd encrypted

names

name 192.168.1.0 AppletonData description Appleton Data

name 172.16.0.0 AppletonVoice description Appleton Voice

name 172.16.16.0 Watertown description Watertown

name 10.0.0.0 anyInside description anyInside

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 209

!

interface Ethernet0/7

switchport access vlan 209

!

interface Vlan1

nameif inside

security-level 100

ip address 10.76.3.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 12.XXX.XXX.XXX 255.255.255.0

!

interface Vlan209

nameif IPOffice

security-level 50

ip address 10.10.109.1 255.255.255.0

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name *****.com

object-group network obj_any

object-group network Any10Address

description Data and Phone Networks Combined

object-group network AppletonData

description Appleton Data Network

object-group network AppletonPhone

description Appleton Phone Network

object-group network NETWORK_OBJ_10.76.3.0_24

object-group network Watertown

description Watertown Network

object-group network NETWORK_OBJ_10.10.109.0_24

object-group network Internal-Subnet

access-list Split-Tunnel-ACL standard permit 10.76.3.0 255.255.255.0

access-list outside_access_in extended permit icmp any any inactive

access-list outside_1_cryptomap extended permit ip 10.76.3.0 255.255.255.0 AppletonData 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.76.3.0 255.255.255.0 AppletonData 255.255.255.0

access-list inside_nat0_outbound extended permit ip anyInside 255.0.0.0 Watertown 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.76.3.0 255.255.255.0 192.168.50.0 255.255.255.192

access-list IPOffice_nat0_outbound extended permit ip 10.10.109.0 255.255.255.0 AppletonVoice 255.255.255.0

access-list IPOffice_nat0_outbound extended permit ip anyInside 255.0.0.0 Watertown 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.10.109.0 255.255.255.0 AppletonVoice 255.255.255.0

access-list outside_3_cryptomap extended permit ip anyInside 255.0.0.0 Watertown 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl standard permit 10.76.3.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu IPOffice 1500

ip local pool VPN_Pool 192.168.50.10-192.168.50.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

nat (IPOffice) 0 access-list IPOffice_nat0_outbound

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 12.133.127.169 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.76.3.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac

crypto ipsec transform-set l2tp-transform mode transport

crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform

crypto dynamic-map dyn-map 10 set reverse-route

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 99.6XX.XXX.XXX

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 99.1XX.XXX.XXX

crypto map outside_map 3 set pfs

crypto map outside_map 3 set peer 24.XXX.XXX.XXX

crypto map L2TP-VPN-MAP 1 match address outside_1_cryptomap

crypto map L2TP-VPN-MAP 1 set pfs

crypto map L2TP-VPN-MAP 1 set peer 99.6XX.XXX.XXX

crypto map L2TP-VPN-MAP 1 set transform-set ESP-3DES-SHA

crypto map L2TP-VPN-MAP 2 match address outside_2_cryptomap

crypto map L2TP-VPN-MAP 2 set pfs

crypto map L2TP-VPN-MAP 2 set peer 99.1XX.XXX.XXX

crypto map L2TP-VPN-MAP 2 set transform-set ESP-3DES-SHA

crypto map L2TP-VPN-MAP 3 match address outside_3_cryptomap

crypto map L2TP-VPN-MAP 3 set pfs

crypto map L2TP-VPN-MAP 3 set peer 24.XXX.XXX.XXX

crypto map L2TP-VPN-MAP 3 set transform-set ESP-3DES-SHA

crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map

crypto map vpn-map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.76.3.5-10.76.3.254 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd domain *****.com interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value *****.com

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol l2tp-ipsec

group-policy GroupPolicy_99.6XX.XXX.XXX internal

group-policy GroupPolicy_99.6XX.XXX.XXX attributes

vpn-tunnel-protocol IPSec

group-policy GroupPolicy_24.XXX.XXX.XXX internal

group-policy GroupPolicy_24.XXX.XXX.XXX attributes

vpn-tunnel-protocol IPSec

group-policy GroupPolicy_99.1XX.XXX.XXX internal

group-policy GroupPolicy_99.1XX.XXX.XXX attributes

vpn-tunnel-protocol IPSec

group-policy vpn-policy internal

group-policy vpn-policy attributes

vpn-tunnel-protocol IPSec

username support password encrypted privilege 15

username lmk1 password nt-encrypted

username admin password encrypted privilege 15

username drm1 password nt-encrypted

username jms1 password nt-encrypted

username tcb1 password nt-encrypted

username jmb1 password nt-encrypted

username enm1 password nt-encrypted

username jason password nt-encrypted

username amw1 password nt-encrypted

username alp1 password nt-encrypted

username lab1 password nt-encrypted

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_Pool

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

isakmp keepalive disable

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

no authentication chap

authentication ms-chap-v2

tunnel-group 99.6XX.XXX.XXX type ipsec-l2l

tunnel-group 99.6XX.XXX.XXX general-attributes

default-group-policy GroupPolicy_99.6XX.XXX.XXX

tunnel-group 99.6XX.XXX.XXX ipsec-attributes

pre-shared-key *****

tunnel-group 99.1XX.XXX.XXX type ipsec-l2l

tunnel-group 99.1XX.XXX.XXX general-attributes

default-group-policy GroupPolicy_99.1XX.XXX.XXX

tunnel-group 99.1XX.XXX.XXX ipsec-attributes

pre-shared-key *****

tunnel-group 24.XXX.XXX.XXX type ipsec-l2l

tunnel-group 24.XXX.XXX.XXX general-attributes

default-group-policy GroupPolicy_24.XXX.XXX.XXX

tunnel-group 24.XXX.XXX.XXX ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Everyone's tags (7)
1581
Views
0
Helpful
0
Replies