Cisco ASA 5505 - L2TP over IPsec
Can you post the output of your log while trying to establish a vpn connection at the debugging level? (in the asdm go to Monitoring -> Logging -> set logging level to debug in the drop down -> click view)
Also unless there is a compelling reason to stay at 7.2(4) I would upgrade to the latest 8.x release. The 7.2 series had some pretty major issues.
EDIT
That error means that the interface the incoming vpn is setup on doesn't have a crypto-map applied.
if you were following the instructions there, you probably applied the crypto map like this:
crypto map outside_map interface outside
if you are testing on the same lan you would need to do this:
crypto map outside_map interface inside
Ugly i know but it'll let you test, then remove from the inside interface and you are good to go.
If that doesn't work, would you be willing put post your running config?
EDIT 2:
Ok, lets simplify this config a little. Try disconnecting the XP machine from the ASA. And also remove the 192.168.1.1 ip address and DHCP pool from the ASA. Then try to connect via the vpn.
Related videos on Youtube
xraminx
Updated on September 17, 2022Comments
-
xraminx over 1 year
I have followed this document on cisco site to set up the L2TP over IPsec connection.
When I try to establish a VPN to ASA 5505 from my Windows XP, after I click on "connect" button, the "Connecting ...." dialog box appears and after a while I get this error message: Error 800: Unable to establish VPN connection. The VPN server may be unreachable, or security parameters may not be configured properly for this connection.
- ASA version 7.2(4)
- ASDM version 5.2(4)
- Windows XP SP3
Windows XP and ASA 5505 are on the same LAN for test purposes.
Edit 1: There are two VLANs defined on the cisco device (the standard setup on cisco ASA5505). - port 0 is on VLAN2, outside; - and ports 1 to 7 on VLAN1, inside.
I run a cable from my linksys home router (10.50.10.1) to the cisco ASA5505 router on port 0 (outside). Port 0 have IP 192.168.1.1 used internally by cisco and I have also assigned the external IP 10.50.10.206 to port 0 (outside).
I run a cable from Windows XP to Cisco router on port 1 (inside). Port 1 is assigned an IP from Cisco router 192.168.1.2.
The Windows XP is also connected to my linksys home router via wireless (10.50.10.141).
Edit 2: When I try to establish vpn, the Cisco device real time Log viewer shows 7 entries like this:
Severity:5 Date:Sep 15 2009 Time: 14:51:29 SyslogID: 713904 Destination IP = 10.50.10.141, Decription: No crypto map bound to interface... dropping pkt
Edit 3: This is the setup on the router right now.
Result of the command: "show run" : Saved : ASA Version 7.2(4) ! hostname ciscoasa domain-name default.domain.invalid enable password HGFHGFGHFHGHGFHGF encrypted passwd NMMNMNMNMNMNMN encrypted names name 192.168.1.200 WebServer1 name 10.50.10.206 external-ip-address ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address external-ip-address 255.0.0.0 ! interface Vlan3 no nameif security-level 50 no ip address ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid object-group service l2tp udp port-object eq 1701 access-list outside_access_in remark Allow incoming tcp/http access-list outside_access_in extended permit tcp any host WebServer1 eq www access-list outside_access_in extended permit udp any any eq 1701 access-list inside_nat0_outbound extended permit ip any 192.168.1.208 255.255.255.240 access-list inside_cryptomap_1 extended permit ip interface outside interface inside pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool PPTP-VPN 192.168.1.210-192.168.1.220 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface www WebServer1 www netmask 255.255.255.255 access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport crypto map outside_map 1 match address inside_cryptomap_1 crypto map outside_map 1 set transform-set TRANS_ESP_3DES_MD5 crypto map outside_map interface inside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd enable inside ! group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 192.168.1.1 vpn-tunnel-protocol IPSec l2tp-ipsec username myusername password FGHFGHFHGFHGFGFHF nt-encrypted tunnel-group DefaultRAGroup general-attributes address-pool PPTP-VPN default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 ! ! prompt hostname context Cryptochecksum:a9331e84064f27e6220a8667bf5076c1 : end
-
GregD over 14 yearsxraminx - Can you edit your original question to tell us where you are now? It's confusing trying to determine that with what's above here and below in Zypher's question/comments.
-
xraminx over 14 yearsI edited the question and put all the info in the question now.
-
xraminx over 14 yearsWhen I try to establish vpn, the log shows 7 entries like this: Severity:5 Date:Sep 15 2009 Time: 14:51:29 SyslogID: 713904 Destination IP = 10.50.10.141, Decription: No crypto map bound to interface... dropping pkt I am trying to get more comfortable with the device first and then I will upgrade to the latest version of ASA software for sure.
-
xraminx over 14 yearsZypher, Win XP is 10.50.10.141, Router's outside interface is 10.50.10.206, and the VPN pool is 192.168.1.200-210. So even though the router and Win Xp are on the same LAN, the VPN is on a different subset. Do I still have to apply you recommendation regarding crypto map above?
-
Zypher over 14 yearsSo, just to make sure i'm understanding your setup. You have a cable going from the XP machine to the port assigned to the outside VLAN on the ASA (Default port 0) ?
-
xraminx over 14 yearsThere are two VLANs (the standard setup on 5505). port 0 is on VLAN2, outside; and ports 1 to 7 on VLAN1, inside. I run a cable from my linksys home router (10.50.10.1) to cisco router on port 0 (outside). Port 0 have IP 192.168.1.1 used internally by cisco and I have also assigned the external IP 10.50.10.206 to port 0 (outside). I run a cable from Windows XP to Cisco router on port 1 (inside). Port 1 is assigned an IP from Cisco router 192.168.1.2. The Windows XP is also connected to my linksys home router via wireless (10.50.10.114).
-
xraminx over 14 yearsLooks like I can not edit my comments: CORRECTION: "... The Windows XP is..... (10.50.10.141)"
-
xraminx over 14 yearsRight now the only way to connect to the cisco router to configure it is 192.168.1.1 If I remove 192.168.1.1, then how do I connect to the router?
-
GregD over 13 yearsThere is a blue console cable that comes with your ASA. Connect that to your comm port on a laptop or computer to configure it using hyperterminal. Kickin it old school so to speak...