Cisco ASA 5505 - L2TP over IPsec

vpn cisco ipsec cisco-asa l2tp
8,545

Can you post the output of your log while trying to establish a vpn connection at the debugging level? (in the asdm go to Monitoring -> Logging -> set logging level to debug in the drop down -> click view)

Also unless there is a compelling reason to stay at 7.2(4) I would upgrade to the latest 8.x release. The 7.2 series had some pretty major issues.

EDIT

That error means that the interface the incoming vpn is setup on doesn't have a crypto-map applied.

if you were following the instructions there, you probably applied the crypto map like this:

crypto map outside_map interface outside

if you are testing on the same lan you would need to do this: 

crypto map outside_map interface inside

Ugly i know but it'll let you test, then remove from the inside interface and you are good to go.

If that doesn't work, would you be willing put post your running config?

EDIT 2:

Ok, lets simplify this config a little. Try disconnecting the XP machine from the ASA. And also remove the 192.168.1.1 ip address and DHCP pool from the ASA. Then try to connect via the vpn.

Share:
8,545

Related videos on Youtube

xraminx
Author by

xraminx

Updated on September 17, 2022

Comments

  • xraminx
    xraminx over 1 year

    I have followed this document on cisco site to set up the L2TP over IPsec connection.

    When I try to establish a VPN to ASA 5505 from my Windows XP, after I click on "connect" button, the "Connecting ...." dialog box appears and after a while I get this error message: Error 800: Unable to establish VPN connection. The VPN server may be unreachable, or security parameters may not be configured properly for this connection.

    • ASA version 7.2(4)
    • ASDM version 5.2(4)
    • Windows XP SP3

    Windows XP and ASA 5505 are on the same LAN for test purposes.

    Edit 1: There are two VLANs defined on the cisco device (the standard setup on cisco ASA5505). - port 0 is on VLAN2, outside; - and ports 1 to 7 on VLAN1, inside.

    • I run a cable from my linksys home router (10.50.10.1) to the cisco ASA5505 router on port 0 (outside). Port 0 have IP 192.168.1.1 used internally by cisco and I have also assigned the external IP 10.50.10.206 to port 0 (outside).

    • I run a cable from Windows XP to Cisco router on port 1 (inside). Port 1 is assigned an IP from Cisco router 192.168.1.2.

    • The Windows XP is also connected to my linksys home router via wireless (10.50.10.141).

    Edit 2: When I try to establish vpn, the Cisco device real time Log viewer shows 7 entries like this: 

    Severity:5 Date:Sep 15 2009 Time: 14:51:29 SyslogID: 713904 
Destination IP = 10.50.10.141, 
Decription: No crypto map bound to interface... dropping pkt

    Edit 3: This is the setup on the router right now.

    Result of the command: "show run"

: Saved
:
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password HGFHGFGHFHGHGFHGF encrypted
passwd NMMNMNMNMNMNMN encrypted
names
name 192.168.1.200 WebServer1
name 10.50.10.206 external-ip-address
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address external-ip-address 255.0.0.0 
!
interface Vlan3
 no nameif
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service l2tp udp
 port-object eq 1701
access-list outside_access_in remark Allow incoming tcp/http
access-list outside_access_in extended permit tcp any host WebServer1 eq www 
access-list outside_access_in extended permit udp any any eq 1701 
access-list inside_nat0_outbound extended permit ip any 192.168.1.208 255.255.255.240 
access-list inside_cryptomap_1 extended permit ip interface outside interface inside 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool PPTP-VPN 192.168.1.210-192.168.1.220 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www WebServer1 www netmask 255.255.255.255 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto map outside_map 1 match address inside_cryptomap_1
crypto map outside_map 1 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map interface inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.1.1
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username myusername password FGHFGHFHGFHGFGFHF nt-encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool PPTP-VPN
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
!
!
prompt hostname context 
Cryptochecksum:a9331e84064f27e6220a8667bf5076c1
: end
    • GregD
      GregD over 14 years
      xraminx - Can you edit your original question to tell us where you are now? It's confusing trying to determine that with what's above here and below in Zypher's question/comments.
    • xraminx
      xraminx over 14 years
      I edited the question and put all the info in the question now.
  • xraminx
    xraminx over 14 years
    When I try to establish vpn, the log shows 7 entries like this: Severity:5 Date:Sep 15 2009 Time: 14:51:29 SyslogID: 713904 Destination IP = 10.50.10.141, Decription: No crypto map bound to interface... dropping pkt I am trying to get more comfortable with the device first and then I will upgrade to the latest version of ASA software for sure.
  • xraminx
    xraminx over 14 years
    Zypher, Win XP is 10.50.10.141, Router's outside interface is 10.50.10.206, and the VPN pool is 192.168.1.200-210. So even though the router and Win Xp are on the same LAN, the VPN is on a different subset. Do I still have to apply you recommendation regarding crypto map above?
  • Zypher
    Zypher over 14 years
    So, just to make sure i'm understanding your setup. You have a cable going from the XP machine to the port assigned to the outside VLAN on the ASA (Default port 0) ?
  • xraminx
    xraminx over 14 years
    There are two VLANs (the standard setup on 5505). port 0 is on VLAN2, outside; and ports 1 to 7 on VLAN1, inside. I run a cable from my linksys home router (10.50.10.1) to cisco router on port 0 (outside). Port 0 have IP 192.168.1.1 used internally by cisco and I have also assigned the external IP 10.50.10.206 to port 0 (outside). I run a cable from Windows XP to Cisco router on port 1 (inside). Port 1 is assigned an IP from Cisco router 192.168.1.2. The Windows XP is also connected to my linksys home router via wireless (10.50.10.114).
  • xraminx
    xraminx over 14 years
    Looks like I can not edit my comments: CORRECTION: "... The Windows XP is..... (10.50.10.141)"
  • xraminx
    xraminx over 14 years
    Right now the only way to connect to the cisco router to configure it is 192.168.1.1 If I remove 192.168.1.1, then how do I connect to the router?
  • GregD
    GregD over 13 years
    There is a blue console cable that comes with your ASA. Connect that to your comm port on a laptop or computer to configure it using hyperterminal. Kickin it old school so to speak...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Phase 2 Mismatch when connecting Windows 7 to ASA5505 VPN
L2TP/IPSec from Windows 7 to ASA 5520
VPN between Ubuntu server (14.04.1 LTS ) AND Cisco ASA 5510
IPSec/L2TP VPN connection fails
IPSec with or without L2TP?
Can't connect to L2TP IPsec VPN from Windows 10 but it works with macOS High Sierra
L2TP/IPSec stopped working after openssl upgrade
L2TP/IPsec VPN fails to connect on Windows 10 - Works fine on iOS
Can't access shared drive when connecting over VPN
Cisco ASA - Restrict IP for WebVPN access