howart
asked on
MS L2TP over IPsec to a Cisco ASA 5505
I am trying to make Windows VPN work to a Cisco ASA 5505.
Phase 1 seems to work , phase 2 I get an error.
This is the current config.
Phase 1 seems to work , phase 2 I get an error.
This is the current config.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.3(1)
!
hostname MSRouter01
domain-name MS.local
enable password gaubr1Hw0IPQlSUl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
description LAN MS
nameif inside
security-level 100
ip address 172.31.7.254 255.255.255.0
!
interface Vlan2
description Internet via ADSL KPN
nameif outside
security-level 0
ip address 10.10.10.146 255.255.255.248
!
interface Vlan12
description DMZ zone
no nameif
security-level 50
ip address 172.31.8.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 172.31.7.5
name-server 213.75.63.36
name-server 213.75.63.70
domain-name MS.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network DNS_Router
host 10.10.10.145
description DNS Server/Thomson KPN Router
object network MSRouter01
host 172.31.7.254
description Cisco ASA 5505 Internet FW/VPN Gateway
object network ntp.xs4all.nl
host 194.109.22.18
description Timeserver xs4all
object network xs2.xs4all.nl
host 194.109.21.3
description xs2.xs4all.nl
object network MS-Inet-Range
range 10.10.10.147 10.10.10.150
description GeneTwister Public IP addresses
object network MS_Internet_SubNet
subnet 10.10.10.144 255.255.255.248
description Subnet van het Internet voor GeneTwister
object network MSWEB01
host 172.31.7.14
description MSWEB01 Tomcat Server
object network MSWEB01.foo.bar
host 10.10.10.147
description MSWEB01 Tomcat Web server Outside
object network MSWEB01_NAT
host 172.31.7.14
description MSWEB01 Tomcat Server
object network TomcatWebServer
host 10.10.10.147
description Virtual Server for Tomcat on 10.10.10.147
object network NAT_MSWEB01
host 172.31.7.14
description Tomcat Web Server
object network WebServer
host 172.31.7.14
description Tomcat Server
object network internalnetwork
range 172.31.7.1 172.31.7.254
description Intern Netwerk
object network internal_net
subnet 172.31.7.0 255.255.255.0
description Interne Netwerk
object network DNS1.KPN.NET
host 213.75.63.36
description DNS server 1 KPN
object network DNS2.KPN.NET
host 213.75.63.70
description DNS 2 server KPN
object network NETWORK_OBJ_172.31.7.192_28
subnet 172.31.7.192 255.255.255.240
object network NETWORK_OBJ_172.31.7.192_27
subnet 172.31.7.192 255.255.255.224
object network NETWORK_OBJ_172.31.9.192_28
subnet 172.31.9.192 255.255.255.240
object network PublicServer_NAT1
host 172.31.7.14
object network PublicServer_NAT2
host 172.31.7.14
object network NETWORK_OBJ_10.31.7.96_28
subnet 10.31.7.96 255.255.255.240
object network A_10.10.10.149
host 10.10.10.149
object network PublicServer_NAT3
host 172.31.7.52
object-group service Web tcp
description HTTP and HTTPS traffic
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq 8080
object-group network DM_INLINE_NETWORK_1
network-object object DNS_Router
network-object object DNS1.KPN.NET
network-object object DNS2.KPN.NET
object-group service Tomcat tcp
description Tomcat Web Services
port-object eq www
port-object eq https
object-group service Tomcat8080 tcp
description Tomcat on tcp/8080
port-object eq 8080
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq 8080
object-group network DM_INLINE_NETWORK_2
network-object object MSWEB01
network-object object MSWEB01.foo.bar
object-group service DM_INLINE_TCP_3 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group service DynamicPorts tcp
description Dynamic Ports High
port-object range 1024 65535
access-list inside_access_in remark Alllow POP3
access-list inside_access_in extended permit tcp 172.31.7.0 255.255.255.0 any eq pop3
access-list inside_access_in remark Allow web traffic http tcp/80 and https tcp/443
access-list inside_access_in extended permit tcp 172.31.7.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in remark DNS Traffic to KPN router
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 172.31.7.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_access_in remark ntp traffic
access-list inside_access_in extended permit udp 172.31.7.0 255.255.255.0 object ntp.xs4all.nl eq ntp
access-list inside_access_in remark ssh to xs2.xs4all.nl
access-list inside_access_in extended permit tcp 172.31.7.0 255.255.255.0 object xs2.xs4all.nl eq ssh
access-list inside_access_in remark icmp traffic
access-list inside_access_in extended permit icmp 172.31.7.0 255.255.255.0 any
access-list inside_access_in remark Allow FTP, SCP & SSH
access-list inside_access_in extended permit tcp 172.31.7.0 255.255.255.0 any object-group DM_INLINE_TCP_3
access-list inside_access_in remark TCP High 1024-65535
access-list inside_access_in extended permit tcp 172.31.7.0 255.255.255.0 any object-group DynamicPorts
access-list inside_access_in remark Clean-up rule
access-list inside_access_in extended deny ip any any
access-list outside_access_in extended permit tcp any host 172.31.7.52 eq 3389
access-list outside_access_in extended permit tcp any host 172.31.7.14 eq 8080
access-list outside_access_in remark Allow web traffic forwarded to MSWEB01
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_2
access-list outside_access_in remark icmp answers
access-list outside_access_in extended permit icmp any 172.31.7.0 255.255.255.0
access-list outside_access_in extended permit tcp any object MSWEB01.foo.bar object-group Tomcat8080
access-list outside_access_in remark Allow L2TP over IPsec Traffic for MS VPN's
access-list outside_access_in extended permit udp any interface outside eq 1701
access-list outside_access_in remark Cleanup rule Outside
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_IP_Pool 172.31.9.192-172.31.9.202 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static internalnetwork internalnetwork destination static NETWORK_OBJ_172.31.7.192_28 NETWORK_OBJ_172.31.7.192_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.31.7.192_27 NETWORK_OBJ_172.31.7.192_27
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.31.9.192_28 NETWORK_OBJ_172.31.9.192_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.31.7.96_28 NETWORK_OBJ_10.31.7.96_28
!
object network internal_net
nat (any,outside) dynamic interface
object network PublicServer_NAT2
nat (inside,outside) static MSWEB01.foo.bar service tcp 8080 www
object network PublicServer_NAT3
nat (inside,outside) static A_10.10.10.149
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WindowsAD protocol radius
aaa-server WindowsAD (inside) host 172.31.7.5
timeout 5
key *****
http server enable
http 172.31.7.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-delimiter @
telnet timeout 5
ssh 172.31.7.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 194.109.22.18 prefer
webvpn
enable outside
tunnel-group-list enable
smart-tunnel list test test winword.exe platform windows
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 172.31.7.5
dns-server value 172.31.7.5
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
default-domain value MS.local
group-policy DfltGrpPolicy attributes
webvpn
url-list value Intranet
smart-tunnel enable test
username admin password aacKuBhBgMG98f/B encrypted privilege 15
username henk password UahwxQobBtX0uq3y encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_IP_Pool
authentication-server-group WindowsAD
authorization-server-group WindowsAD
strip-group
tunnel-group DefaultRAGroup webvpn-attributes
group-alias L2TP enable
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias Local enable
tunnel-group-map default-group DefaultWEBVPNGroup
!
!
prompt hostname context
Cryptochecksum:95e6c02b307306b848bc533b270331af
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think there is a discrepancy on step 7 of that doc.
Step 7 Create a tunnel group with the tunnel-group command, and link the name of the group policy to the tunnel group with the default-group-policy command from tunnel group general-attributes mode:
hostname(config)# tunnel-group name type ipsec-ra
hostname(config)# tunnel-group name general-attributes
hostname(config-tunnel-gen eral)# group-policy group_policy_name
I don't see ipsec-ra in your config.
Step 7 Create a tunnel group with the tunnel-group command, and link the name of the group policy to the tunnel group with the default-group-policy command from tunnel group general-attributes mode:
hostname(config)# tunnel-group name type ipsec-ra
hostname(config)# tunnel-group name general-attributes
hostname(config-tunnel-gen
I don't see ipsec-ra in your config.
Any updates?
ASKER
Abandoned the original plan. Started to install Cisco VPN clients and configured the FW with the wizard to work with Cisco VPN.
Resolution did not work for me.
Resolution did not work for me.
ASKER
ok thx
ASKER
I need someone who can point out were I go wrong.