Solved

Trying to get working L2TP over IPSec on local user authentication plz HELP ???

Posted on 2010-09-18
15
568 Views
Last Modified: 2012-05-10
Hi Experts,

I'm trying to get working L2TP over IPSec on local user authentication in my PIX fail over setup.
(I need to use windows VPN clients)

Please advice !
fw01(config)# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname fw01
domain-name company.local
enable password DRoOs2EWSVtHzPat encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 2x1.12x.5x.2 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.2.254 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 description LAN/STATE Failover Interface
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name company.local
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192
access-list 110 extended permit tcp any host 2x1.12x.5x.28 eq 3389
access-list 110 extended permit tcp any host 2x1.12x.5x.8 eq ftp
access-list 110 extended permit tcp any host 2x1.12x.5x.8 eq www
access-list 110 extended permit tcp any host 2x1.12x.5x.8 eq 3389
access-list 110 extended permit tcp any host 2x1.12x.5x.10 eq 3389
access-list 110 extended permit tcp any host 2x1.12x.5x.13 eq www
access-list 110 extended permit tcp any host 2x1.12x.5x.14 eq www
access-list 110 extended permit tcp any host 2x1.12x.5x.15 eq www
access-list 110 extended permit tcp any host 2x1.12x.5x.16 eq www
access-list 110 extended permit tcp any host 2x1.12x.5x.18 eq www
access-list 110 extended permit tcp any host 2x1.12x.5x.9 eq https
access-list 110 extended permit tcp any host 2x1.12x.5x.9 eq smtp
access-list 110 extended permit tcp any host 2x1.12x.5x.9 eq pop3
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN-POOL1 192.168.3.1-192.168.3.50 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 2x1.12x.5x.25-2x1.12x.5x.26 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 2x1.12x.5x.28 192.168.2.199 netmask 255.255.255.255
static (inside,outside) 2x1.12x.5x.8 192.168.2.47 netmask 255.255.255.255
static (inside,outside) 2x1.12x.5x.10 192.168.2.90 netmask 255.255.255.255
static (inside,outside) 2x1.12x.5x.13 192.168.2.80 netmask 255.255.255.255
static (inside,outside) 2x1.12x.5x.14 192.168.2.81 netmask 255.255.255.255
static (inside,outside) 2x1.12x.5x.15 192.168.2.11 netmask 255.255.255.255
static (inside,outside) 2x1.12x.5x.16 192.168.2.68 netmask 255.255.255.255
static (inside,outside) 2x1.12x.5x.18 192.168.2.111 netmask 255.255.255.255
static (inside,outside) 2x1.12x.5x.19 192.168.2.69 netmask 255.255.255.255
static (inside,outside) 2x1.12x.5x.9 192.168.2.14 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 2x1.12x.5x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.2.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.2.14
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value company..local
username test password OfDn5Zvl2478ObbvgermPQ== nt-encrypted privilege 0
username test attributes
 vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-POOL1
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
!
!
prompt hostname context
Cryptochecksum:f2b6204da6a3851ae7930c3c8f43e44a
: end
fw01(config)#

Open in new window

0
Comment
Question by:Shakthi777
  • 7
  • 7
15 Comments
 
LVL 6

Assisted Solution

by:kuoh
kuoh earned 500 total points
ID: 33709495
Try adding the following commands.

crypto ipsec transform-set ESP-3DES-MD5 mode transport
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml

0
 

Author Comment

by:Shakthi777
ID: 33713847
kuoh: added, but still no luck.. not seeing the port even to out side ??

Tnx a lot for you time !
0
 
LVL 6

Assisted Solution

by:kuoh
kuoh earned 500 total points
ID: 33714023
You might also need to remove the extraneous crypto map with the same priority.  In fact, you might go ahead and remove both, then reapply just the correct one.

crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000


How are you determining that the port isn't open?  What version of windows client is it and is anything logged by the PIX when the client attempts to initiate the tunnel?  You should at least get phase 1 if group/key are correct and some errors if not.  Have you tried other PCs, perhaps there is a problem on the client side?
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33714033
Forgot to mention add "sysopt connection permit-vpn" if you haven't already.
0
 

Author Comment

by:Shakthi777
ID: 33714124
This is the latest config, can you please advise on what to change or add exactly ???

Thanks a lot for you time !
FW1(config)# sh run

: Saved

:

PIX Version 8.0(4)

!

hostname FW1

domain-name company.local

enable password DRoOs2EWSVtHzPat encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

 nameif outside

 security-level 0

 ip address 2xx.xx.44.2 255.255.255.224

 ospf cost 10

!

interface Ethernet1

 nameif inside

 security-level 100

 ip address 192.168.2.254 255.255.255.0

 ospf cost 10

!

interface Ethernet2

 description LAN/STATE Failover Interface

!

interface Ethernet3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet5

 shutdown

 no nameif

 no security-level

 no ip address

!

ftp mode passive

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

dns server-group DefaultDNS

 domain-name company.local

access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192

access-list 110 extended permit tcp any host 2xx.xx.44.28 eq 3389

access-list 110 extended permit tcp any host 2xx.xx.44.8 eq ftp

access-list 110 extended permit tcp any host 2xx.xx.44.8 eq www

access-list 110 extended permit tcp any host 2xx.xx.44.8 eq 3389

access-list 110 extended permit tcp any host 2xx.xx.44.10 eq 3389

access-list 110 extended permit tcp any host 2xx.xx.44.14 eq www

access-list 110 extended permit tcp any host 2xx.xx.44.15 eq www

access-list 110 extended permit tcp any host 2xx.xx.44.16 eq www

access-list 110 extended permit tcp any host 2xx.xx.44.18 eq www

access-list 110 extended permit tcp any host 2xx.xx.44.9 eq https

access-list 110 extended permit tcp any host 2xx.xx.44.9 eq smtp

access-list 110 extended permit tcp any host 2xx.xx.44.9 eq pop3

access-list 110 extended permit tcp any host 2xx.xx.44.20 eq 8080

access-list 110 extended permit tcp any host 2xx.xx.44.20 eq 8081

access-list 110 extended permit tcp any host 2xx.xx.44.21 eq www

access-list 110 extended permit tcp any host 2xx.xx.44.19 eq 8080

access-list 110 extended permit tcp any host 2xx.xx.44.23 eq www

access-list 110 extended permit tcp any host 2xx.xx.44.13 eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPN-POOL1 192.168.3.1-192.168.3.50 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface LANFALL Ethernet2

failover lan enable

failover key *****

failover link LANFALL Ethernet2

failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 2xx.xx.44.25-2xx.xx.44.26 netmask 255.255.255.224

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.220.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 2xx.xx.44.19 8080 192.168.2.69 www netmask 255.255.255.255

static (inside,outside) tcp 2xx.xx.44.22 www 192.168.2.82 8080 netmask 255.255.255.255

static (inside,outside) tcp 2xx.xx.44.13 www 192.168.2.82 4000 netmask 255.255.255.255

static (inside,outside) 2xx.xx.44.8 192.168.2.47 netmask 255.255.255.255

static (inside,outside) 2xx.xx.44.10 192.168.2.90 netmask 255.255.255.255

static (inside,outside) 2xx.xx.44.14 192.168.2.81 netmask 255.255.255.255

static (inside,outside) 2xx.xx.44.15 192.168.2.11 netmask 255.255.255.255

static (inside,outside) 2xx.xx.44.16 192.168.2.68 netmask 255.255.255.255

static (inside,outside) 2xx.xx.44.18 192.168.2.111 netmask 255.255.255.255

static (inside,outside) 2xx.xx.44.9 192.168.2.14 netmask 255.255.255.255

static (inside,outside) 2xx.xx.44.20 192.168.2.13 netmask 255.255.255.255

static (inside,outside) 2xx.xx.44.21 192.168.2.112 netmask 255.255.255.255

access-group 110 in interface outside

route outside 0.0.0.0 0.0.0.0 2xx.xx.44.1 1

route inside 192.168.220.0 255.255.255.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 set security-association lifetime seconds 28800

crypto map outside_map 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.2.0 255.255.255.255 inside

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 dns-server value 192.168.2.14

 vpn-tunnel-protocol IPSec l2tp-ipsec

 default-domain value company.local

username test password OfDn5Zvl2478ObbvgermPQ== nt-encrypted privilege 0

username test attributes

 vpn-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

 address-pool VPN-POOL1

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

 no authentication chap

 authentication ms-chap-v2

!

!

prompt hostname context

Cryptochecksum:a457a5a0bc930a2380f192573778b8b8

: end

FW1(config)#

Open in new window

0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33714135
Hi,

What windows version running on client computers?
0
 
LVL 6

Assisted Solution

by:kuoh
kuoh earned 500 total points
ID: 33714168
DELETE

crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside

ADD

crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
sysopt connection permit-vpn

Also, I've seen L2TP config examples show both "vpn-tunnel-protocol IPSec l2tp-ipsec" and "vpn-tunnel-protocol l2tp-ipsec", but I'm not sure which is "more" correct.  If one doesn't work, then try the other.  However, I'm not sure any of this is going to matter if there is a problem with the client PC reaching the PIX.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Shakthi777
ID: 33714221
# crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_$
WARNING: Existing map is being linked to dynamic-map: SYSTEM_DEFAULT_CRYPTO_MAP.
         All static attributes in existing map will be inactive!


I got a WARNING please advise ?????
0
 

Author Comment

by:Shakthi777
ID: 33714262
still no luck, same situation...
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10

Open in new window

0
 
LVL 6

Accepted Solution

by:
kuoh earned 500 total points
ID: 33714296
You still have outside_map and outside_map0, did you put NO at the beginning of the DELETE lines I posted?  Did you add "sysopt connection permit-vpn"?  What is your client OS and are you certain that it is able to reach the outside IP of the PIX?
0
 

Author Comment

by:Shakthi777
ID: 33714314
# no crypto map outside_map0 65535 ipsec-isakmp dynamic SYST$
WARNING: The crypto map entry is incomplete!

I got another warning.. please let me know how to remove it..

Did you add "sysopt connection permit-vpn"?
YES

What is your client OS
WIndows XP
 
and are you certain that it is able to reach the outside IP of the PIX?
YEP

0
 

Author Comment

by:Shakthi777
ID: 33714345
Latest config
FW1(config)# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname FW1
domain-name company.local
enable password DRoOs2EWSVtHzPat encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 2xx.xx.44.2 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.2.254 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 description LAN/STATE Failover Interface
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name company.local
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192
access-list 110 extended permit tcp any host 2xx.xx.44.28 eq 3389
access-list 110 extended permit tcp any host 2xx.xx.44.8 eq ftp
access-list 110 extended permit tcp any host 2xx.xx.44.8 eq www
access-list 110 extended permit tcp any host 2xx.xx.44.8 eq 3389
access-list 110 extended permit tcp any host 2xx.xx.44.10 eq 3389
access-list 110 extended permit tcp any host 2xx.xx.44.14 eq www
access-list 110 extended permit tcp any host 2xx.xx.44.15 eq www
access-list 110 extended permit tcp any host 2xx.xx.44.16 eq www
access-list 110 extended permit tcp any host 2xx.xx.44.18 eq www
access-list 110 extended permit tcp any host 2xx.xx.44.9 eq https
access-list 110 extended permit tcp any host 2xx.xx.44.9 eq smtp
access-list 110 extended permit tcp any host 2xx.xx.44.9 eq pop3
access-list 110 extended permit tcp any host 2xx.xx.44.20 eq 8080
access-list 110 extended permit tcp any host 2xx.xx.44.20 eq 8081
access-list 110 extended permit tcp any host 2xx.xx.44.21 eq www
access-list 110 extended permit tcp any host 2xx.xx.44.19 eq 8080
access-list 110 extended permit tcp any host 2xx.xx.44.23 eq www
access-list 110 extended permit tcp any host 2xx.xx.44.13 eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN-POOL1 192.168.3.1-192.168.3.50 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 2xx.xx.44.25-2xx.xx.44.26 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 2xx.xx.44.19 8080 192.168.2.69 www netmask 255.255.255.255
static (inside,outside) tcp 2xx.xx.44.22 www 192.168.2.82 8080 netmask 255.255.255.255
static (inside,outside) tcp 2xx.xx.44.13 www 192.168.2.83 4000 netmask 255.255.255.255
static (inside,outside) 2xx.xx.44.8 192.168.2.47 netmask 255.255.255.255
static (inside,outside) 2xx.xx.44.10 192.168.2.90 netmask 255.255.255.255
static (inside,outside) 2xx.xx.44.14 192.168.2.81 netmask 255.255.255.255
static (inside,outside) 2xx.xx.44.15 192.168.2.11 netmask 255.255.255.255
static (inside,outside) 2xx.xx.44.16 192.168.2.68 netmask 255.255.255.255
static (inside,outside) 2xx.xx.44.18 192.168.2.111 netmask 255.255.255.255
static (inside,outside) 2xx.xx.44.9 192.168.2.14 netmask 255.255.255.255
static (inside,outside) 2xx.xx.44.20 192.168.2.13 netmask 255.255.255.255
static (inside,outside) 2xx.xx.44.21 192.168.2.112 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 2xx.xx.44.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.2.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.2.14
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value company.local
username test password OfDn5Zvl2478ObbvgermPQ== nt-encrypted privilege 0
username test attributes
 vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-POOL1
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
!
!
prompt hostname context
Cryptochecksum:06de1410245db0f0cb11f98609634c62
: end
FW1(config)#

Open in new window

0
 

Author Comment

by:Shakthi777
ID: 33714360
ikalmar:

Windows XP, Windows 7
0
 
LVL 6

Assisted Solution

by:kuoh
kuoh earned 500 total points
ID: 33714388
Oops, it should be the following.

clear configure crypto map outside_map
clear configure crypto map outside_map0
0
 
LVL 6

Assisted Solution

by:kuoh
kuoh earned 500 total points
ID: 33714410
Check these two links and verify your XP client configuration.  I'm not sure about Win7 compatibility though.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml
http://gregsowell.com/?p=805
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now