Solved

Cisco ASA 5510 VPN Configuration

Posted on 2011-02-20
7
764 Views
Last Modified: 2012-05-11
I'm trying to figure out why the below configuration is not functioning correctly.  What i'm wanting to do is use L2TP over IPSEC with a preshared key so that I can allow my Windows users to use it.  Currently, I can use the VPN using my smart phone, but can't get a windows machine to do it.


Cryptochecksum: 24bccbc5 e7efceb3 67905aeb 7ee07169
: Saved
: Written by user at 06:55:30.639 EST Mon Feb 7 2011
!
ASA Version 8.2(4)
!
hostname xxx
domain-name xxx
enable password encrypted
passwd encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address xxx.xxx.xxx.xxx 255.0.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxx
access-list inside standard permit any
access-list inside_nat0_outbound extended permit ip any xxx.xxx.xxx.xxx 255.255.255.0
pager lines 24
logging enable
logging list myvpninfo level informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool name xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx mask 255.0.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 1.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_AES_128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_128_MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_192_SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_192_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_192_MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_AES_192_MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server xxx.xxx.xxx.xxx source inside prefer
webvpn
 enable outside
 enable inside
 internal-password enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 vpn-tunnel-protocol IPSec l2tp-ipsec
 ipsec-udp enable
group-policy DfltGrpPolicy attributes
 ip-comp enable
 ipsec-udp enable
 address-pools value telcopool
username user password hEgdy7LoN0ORhOp79Mi8qw== nt-encrypted privilege 15
username user attributes
 vpn-group-policy DefaultRAGroup
username user password pwd nt-encrypted privilege 15
username user attributes
 vpn-group-policy DefaultRAGroup
username user password pwd nt-encrypted privilege 15
username user attributes
 vpn-group-policy DefaultRAGroup
username user password pwd nt-encrypted privilege 15
username user password pwd nt-encrypted privilege 15
username user attributes
 vpn-group-policy DefaultRAGroup
username user password pwd nt-encrypted privilege 15
username user attributes
 vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key key
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum: checksum
: end

0
Comment
Question by:ben9035
  • 4
  • 3
7 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
Comment Utility
Hi,

Please try to enable chap:
tunnel-group DefaultRAGroup ppp-attributes
 authentication chap
0
 

Author Comment

by:ben9035
Comment Utility
So everything else looks correct then?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
ot the first look yes...
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:ben9035
Comment Utility
alright, I'll take a look at it as soon as I get back to the office.  On a side note, do you know why I would be unable to connect to the ASA via console cable?  I'm plugged in like normal, 9600, 8, 1, 0, typical com port connection using Putty, but can't get anything other than the blank screen with the flashing cursor.  It's extremely annoying trying to figure out where things are in the ASDM since I'km so used to using the CLI.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Did you set Flow control: None:
0
 

Author Comment

by:ben9035
Comment Utility
yep
0
 

Author Closing Comment

by:ben9035
Comment Utility
Chap authentication needed to be added, but there was also a problem with the default map, I had to disable pfs on the ASA, then everything started working fine.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now