Cisco ASA 5505 - L2TP over IPsec
- by xraminx
I have followed this document on cisco site to set up the L2TP over IPsec connection.
When I try to establish a VPN to ASA 5505 from my Windows XP, after I click on "connect" button, the "Connecting ...." dialog box appears and after a while I get this error message:
Error 800: Unable to establish VPN connection. The VPN server may be unreachable, or security parameters may not be configured properly for this connection.
ASA version 7.2(4)
ASDM version 5.2(4)
Windows XP SP3
Windows XP and ASA 5505 are on the same LAN for test purposes.
Edit 1:
There are two VLANs defined on the cisco device (the standard setup on cisco ASA5505).
- port 0 is on VLAN2, outside;
- and ports 1 to 7 on VLAN1, inside.
I run a cable from my linksys home router (10.50.10.1) to the cisco ASA5505 router on port 0 (outside).
Port 0 have IP 192.168.1.1 used internally by cisco and I have also assigned the external IP 10.50.10.206 to port 0 (outside).
I run a cable from Windows XP to Cisco router on port 1 (inside). Port 1 is assigned an IP from Cisco router 192.168.1.2.
The Windows XP is also connected to my linksys home router via wireless (10.50.10.141).
Edit 2:
When I try to establish vpn, the Cisco device real time Log viewer shows 7 entries like this:
Severity:5 Date:Sep 15 2009 Time: 14:51:29 SyslogID: 713904
Destination IP = 10.50.10.141,
Decription: No crypto map bound to interface... dropping pkt
Edit 3:
This is the setup on the router right now.
Result of the command: "show run"
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password HGFHGFGHFHGHGFHGF encrypted
passwd NMMNMNMNMNMNMN encrypted
names
name 192.168.1.200 WebServer1
name 10.50.10.206 external-ip-address
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address external-ip-address 255.0.0.0
!
interface Vlan3
no nameif
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service l2tp udp
port-object eq 1701
access-list outside_access_in remark Allow incoming tcp/http
access-list outside_access_in extended permit tcp any host WebServer1 eq www
access-list outside_access_in extended permit udp any any eq 1701
access-list inside_nat0_outbound extended permit ip any 192.168.1.208 255.255.255.240
access-list inside_cryptomap_1 extended permit ip interface outside interface inside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool PPTP-VPN 192.168.1.210-192.168.1.220 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www WebServer1 www netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto map outside_map 1 match address inside_cryptomap_1
crypto map outside_map 1 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map interface inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.1
vpn-tunnel-protocol IPSec l2tp-ipsec
username myusername password FGHFGHFHGFHGFGFHF nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool PPTP-VPN
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
!
prompt hostname context
Cryptochecksum:a9331e84064f27e6220a8667bf5076c1
: end
