Solved

Cisco ASA 5510 VPN Configuration

Posted on 2011-02-20
7
772 Views
Last Modified: 2012-05-11
I'm trying to figure out why the below configuration is not functioning correctly.  What i'm wanting to do is use L2TP over IPSEC with a preshared key so that I can allow my Windows users to use it.  Currently, I can use the VPN using my smart phone, but can't get a windows machine to do it.


Cryptochecksum: 24bccbc5 e7efceb3 67905aeb 7ee07169
: Saved
: Written by user at 06:55:30.639 EST Mon Feb 7 2011
!
ASA Version 8.2(4)
!
hostname xxx
domain-name xxx
enable password encrypted
passwd encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address xxx.xxx.xxx.xxx 255.0.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxx
access-list inside standard permit any
access-list inside_nat0_outbound extended permit ip any xxx.xxx.xxx.xxx 255.255.255.0
pager lines 24
logging enable
logging list myvpninfo level informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool name xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx mask 255.0.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 1.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_AES_128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_128_MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_192_SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_192_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_192_MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_AES_192_MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server xxx.xxx.xxx.xxx source inside prefer
webvpn
 enable outside
 enable inside
 internal-password enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 vpn-tunnel-protocol IPSec l2tp-ipsec
 ipsec-udp enable
group-policy DfltGrpPolicy attributes
 ip-comp enable
 ipsec-udp enable
 address-pools value telcopool
username user password hEgdy7LoN0ORhOp79Mi8qw== nt-encrypted privilege 15
username user attributes
 vpn-group-policy DefaultRAGroup
username user password pwd nt-encrypted privilege 15
username user attributes
 vpn-group-policy DefaultRAGroup
username user password pwd nt-encrypted privilege 15
username user attributes
 vpn-group-policy DefaultRAGroup
username user password pwd nt-encrypted privilege 15
username user password pwd nt-encrypted privilege 15
username user attributes
 vpn-group-policy DefaultRAGroup
username user password pwd nt-encrypted privilege 15
username user attributes
 vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key key
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum: checksum
: end

0
Comment
Question by:ben9035
  • 4
  • 3
7 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 34940809
Hi,

Please try to enable chap:
tunnel-group DefaultRAGroup ppp-attributes
 authentication chap
0
 

Author Comment

by:ben9035
ID: 34940828
So everything else looks correct then?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34940894
ot the first look yes...
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 

Author Comment

by:ben9035
ID: 34940903
alright, I'll take a look at it as soon as I get back to the office.  On a side note, do you know why I would be unable to connect to the ASA via console cable?  I'm plugged in like normal, 9600, 8, 1, 0, typical com port connection using Putty, but can't get anything other than the blank screen with the flashing cursor.  It's extremely annoying trying to figure out where things are in the ASDM since I'km so used to using the CLI.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34940968
Did you set Flow control: None:
0
 

Author Comment

by:ben9035
ID: 34940972
yep
0
 

Author Closing Comment

by:ben9035
ID: 34981117
Chap authentication needed to be added, but there was also a problem with the default map, I had to disable pfs on the ASA, then everything started working fine.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

761 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question