Solved

MS L2TP over IPsec to a Cisco ASA 5505

Posted on 2010-11-24
6
1,785 Views
Last Modified: 2012-05-10
I am trying to make Windows VPN work to a Cisco ASA 5505.
Phase 1 seems to work , phase 2  I get an error.

This is the current config.

Result of the command: "show running-config"



: Saved

:

ASA Version 8.3(1) 

!

hostname MSRouter01

domain-name MS.local

enable password gaubr1Hw0IPQlSUl encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 description LAN MS

 nameif inside

 security-level 100

 ip address 172.31.7.254 255.255.255.0 

!

interface Vlan2

 description Internet via ADSL KPN

 nameif outside

 security-level 0

 ip address 10.10.10.146 255.255.255.248 

!

interface Vlan12

 description DMZ zone

 no nameif

 security-level 50

 ip address 172.31.8.254 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

 switchport access vlan 12

!

interface Ethernet0/4

 switchport access vlan 12

!

interface Ethernet0/5

 switchport access vlan 12

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 172.31.7.5

 name-server 213.75.63.36

 name-server 213.75.63.70

 domain-name MS.local

object network obj_any 

 subnet 0.0.0.0 0.0.0.0

object network DNS_Router 

 host 10.10.10.145

 description DNS Server/Thomson KPN Router     

object network MSRouter01 

 host 172.31.7.254

 description Cisco ASA 5505 Internet FW/VPN Gateway     

object network ntp.xs4all.nl 

 host 194.109.22.18

 description Timeserver xs4all     

object network xs2.xs4all.nl 

 host 194.109.21.3

 description xs2.xs4all.nl     

object network MS-Inet-Range 

 range 10.10.10.147 10.10.10.150

 description GeneTwister Public IP addresses    

object network MS_Internet_SubNet 

 subnet 10.10.10.144 255.255.255.248

 description Subnet van het Internet voor GeneTwister    

object network MSWEB01 

 host 172.31.7.14

 description MSWEB01 Tomcat Server    

object network MSWEB01.foo.bar 

 host 10.10.10.147

 description MSWEB01 Tomcat Web server Outside    

object network MSWEB01_NAT 

 host 172.31.7.14

 description MSWEB01 Tomcat Server    

object network TomcatWebServer 

 host 10.10.10.147

 description Virtual Server for Tomcat on 10.10.10.147    

object network NAT_MSWEB01 

 host 172.31.7.14

 description Tomcat Web Server    

object network WebServer 

 host 172.31.7.14

 description Tomcat  Server    

object network internalnetwork 

 range 172.31.7.1 172.31.7.254

 description Intern Netwerk    

object network internal_net 

 subnet 172.31.7.0 255.255.255.0

 description Interne Netwerk    

object network DNS1.KPN.NET 

 host 213.75.63.36

 description DNS server 1 KPN   

object network DNS2.KPN.NET 

 host 213.75.63.70

 description DNS 2 server KPN   

object network NETWORK_OBJ_172.31.7.192_28 

 subnet 172.31.7.192 255.255.255.240

object network NETWORK_OBJ_172.31.7.192_27 

 subnet 172.31.7.192 255.255.255.224

object network NETWORK_OBJ_172.31.9.192_28 

 subnet 172.31.9.192 255.255.255.240

object network PublicServer_NAT1 

 host 172.31.7.14

object network PublicServer_NAT2 

 host 172.31.7.14

object network NETWORK_OBJ_10.31.7.96_28 

 subnet 10.31.7.96 255.255.255.240

object network A_10.10.10.149 

 host 10.10.10.149

object network PublicServer_NAT3 

 host 172.31.7.52

object-group service Web tcp

 description HTTP and HTTPS traffic

 port-object eq www

 port-object eq https

object-group service DM_INLINE_SERVICE_1

 service-object tcp destination eq domain 

 service-object udp destination eq domain 

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

 port-object eq 8080

object-group network DM_INLINE_NETWORK_1

 network-object object DNS_Router

 network-object object DNS1.KPN.NET

 network-object object DNS2.KPN.NET

object-group service Tomcat tcp

 description Tomcat Web Services

 port-object eq www

 port-object eq https

object-group service Tomcat8080 tcp

 description Tomcat on tcp/8080

 port-object eq 8080

object-group service DM_INLINE_TCP_2 tcp

 port-object eq www

 port-object eq https

 port-object eq 8080

object-group network DM_INLINE_NETWORK_2

 network-object object MSWEB01

 network-object object MSWEB01.foo.bar

object-group service DM_INLINE_TCP_3 tcp

 port-object eq ftp

 port-object eq ftp-data

 port-object eq ssh

object-group service DynamicPorts tcp

 description Dynamic Ports High

 port-object range 1024 65535

access-list inside_access_in remark Alllow POP3

access-list inside_access_in extended permit tcp 172.31.7.0 255.255.255.0 any eq pop3 

access-list inside_access_in remark Allow web traffic http tcp/80 and https tcp/443

access-list inside_access_in extended permit tcp 172.31.7.0 255.255.255.0 any object-group DM_INLINE_TCP_1 

access-list inside_access_in remark DNS Traffic to KPN router

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 172.31.7.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 

access-list inside_access_in remark ntp traffic

access-list inside_access_in extended permit udp 172.31.7.0 255.255.255.0 object ntp.xs4all.nl eq ntp 

access-list inside_access_in remark ssh to xs2.xs4all.nl

access-list inside_access_in extended permit tcp 172.31.7.0 255.255.255.0 object xs2.xs4all.nl eq ssh 

access-list inside_access_in remark icmp traffic

access-list inside_access_in extended permit icmp 172.31.7.0 255.255.255.0 any 

access-list inside_access_in remark Allow FTP, SCP & SSH

access-list inside_access_in extended permit tcp 172.31.7.0 255.255.255.0 any object-group DM_INLINE_TCP_3 

access-list inside_access_in remark TCP High 1024-65535

access-list inside_access_in extended permit tcp 172.31.7.0 255.255.255.0 any object-group DynamicPorts 

access-list inside_access_in remark Clean-up rule

access-list inside_access_in extended deny ip any any 

access-list outside_access_in extended permit tcp any host 172.31.7.52 eq 3389 

access-list outside_access_in extended permit tcp any host 172.31.7.14 eq 8080 

access-list outside_access_in remark Allow web traffic forwarded to MSWEB01

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_2 

access-list outside_access_in remark icmp answers

access-list outside_access_in extended permit icmp any 172.31.7.0 255.255.255.0 

access-list outside_access_in extended permit tcp any object MSWEB01.foo.bar object-group Tomcat8080 

access-list outside_access_in remark Allow L2TP over IPsec Traffic for MS VPN's

access-list outside_access_in extended permit udp any interface outside eq 1701 

access-list outside_access_in remark Cleanup rule Outside

access-list outside_access_in extended deny ip any any 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_IP_Pool 172.31.9.192-172.31.9.202 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

no asdm history enable

arp timeout 14400

nat (inside,outside) source static internalnetwork internalnetwork destination static NETWORK_OBJ_172.31.7.192_28 NETWORK_OBJ_172.31.7.192_28

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.31.7.192_27 NETWORK_OBJ_172.31.7.192_27

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.31.9.192_28 NETWORK_OBJ_172.31.9.192_28

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.31.7.96_28 NETWORK_OBJ_10.31.7.96_28

!

object network internal_net

 nat (any,outside) dynamic interface

object network PublicServer_NAT2

 nat (inside,outside) static MSWEB01.foo.bar service tcp 8080 www 

object network PublicServer_NAT3

 nat (inside,outside) static A_10.10.10.149

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.10.10.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server WindowsAD protocol radius

aaa-server WindowsAD (inside) host 172.31.7.5

 timeout 5

 key *****

http server enable

http 172.31.7.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

group-delimiter @

telnet timeout 5

ssh 172.31.7.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 194.109.22.18 prefer

webvpn

 enable outside

 tunnel-group-list enable

 smart-tunnel list test test winword.exe platform windows

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 wins-server value 172.31.7.5

 dns-server value 172.31.7.5

 vpn-tunnel-protocol l2tp-ipsec 

 split-tunnel-policy tunnelspecified

 default-domain value MS.local

group-policy DfltGrpPolicy attributes

 webvpn

  url-list value Intranet

  smart-tunnel enable test

username admin password aacKuBhBgMG98f/B encrypted privilege 15

username henk password UahwxQobBtX0uq3y encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

 address-pool VPN_IP_Pool

 authentication-server-group WindowsAD

 authorization-server-group WindowsAD

 strip-group

tunnel-group DefaultRAGroup webvpn-attributes

 group-alias L2TP enable

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

 no authentication chap

 no authentication ms-chap-v1

 authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 group-alias Local enable

tunnel-group-map default-group DefaultWEBVPNGroup

!

!

prompt hostname context 

Cryptochecksum:95e6c02b307306b848bc533b270331af

: end

Open in new window

0
Comment
Question by:howart
  • 3
  • 2
6 Comments
 
LVL 11

Accepted Solution

by:
diprajbasu earned 500 total points
ID: 34203843
0
 
LVL 1

Author Comment

by:howart
ID: 34204030
I use that one as a guideline, this does not work and is confusing. I use ASA 8.3.
I need someone who can point out were I go wrong.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34209100
I think there is a discrepancy on step 7 of that doc.    


Step 7 Create a tunnel group with the tunnel-group command, and link the name of the group policy to the tunnel group with the default-group-policy command from tunnel group general-attributes mode:
hostname(config)# tunnel-group name type ipsec-ra
hostname(config)# tunnel-group name general-attributes
hostname(config-tunnel-general)# group-policy group_policy_name

I don't see ipsec-ra in your config.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 33

Expert Comment

by:MikeKane
ID: 34657039
Any updates?
0
 
LVL 1

Author Comment

by:howart
ID: 34849805
Abandoned the original plan. Started to install Cisco VPN clients and configured the FW with the wizard to work with Cisco VPN.
Resolution did not work for me.


0
 
LVL 1

Author Closing Comment

by:howart
ID: 34849810
ok thx
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now