From: Michael Wong (generalccie@yahoo.com)
Date: Fri Sep 22 2006 - 13:20:35 ART
Hi,
I am setting up and L2TP environment. L2TP client is using Windows XP, and L2TP server is an ISA server running on Windows 2003. In-between the L2TP client and the L2TP server is the ASA5520 firewall. I can not establish the tunnel with the configuration below. (I even opened ALL ports on the firewall still can not get the L2TP tunnel up). With the configuration below I can get the PPTP tunnel up.
What are the potential problems? Is this a ASA configuration problem, or this relates to the ISA server and L2TP client parameters mismatch, or else? How to detect that?
Thanks!
Michael
ASA5520# wr t
: Saved
:
ASA Version 7.1(2)
!
hostname ASA5520
enable password iH3OvsPOCFI7gHAy encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 209.41.196.51 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.24.144.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside extended permit tcp any host 209.41.196.51 eq www
access-list outside extended permit tcp any host 209.41.196.51 eq https
access-list outside extended permit tcp any host 209.41.196.51 eq smtp
access-list outside extended permit tcp any host 209.41.196.51 eq pop3
access-list outside extended permit tcp any host 209.41.196.51 eq 500
access-list outside extended permit udp any host 209.41.196.51 eq isakmp
access-list outside extended permit tcp any host 209.41.196.51 eq 1701
access-list outside extended permit tcp any host 209.41.196.51 eq pptp
access-list outside extended permit tcp any host 209.41.196.51 eq 4500
access-list outside extended permit udp any host 209.41.196.51 eq 1723
access-list outside extended permit gre any host 209.41.196.51
access-list outside extended permit esp any host 209.41.196.51
access-list outside extended permit ah any host 209.41.196.51
access-list outside extended permit udp any host 209.41.196.51 eq 4500
access-list outside extended permit udp any host 209.41.196.51 eq 1701
access-list nat extended permit ip 172.24.0.0 255.255.0.0 any
pager lines 24
logging host inside 172.24.200.35
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list nat
static (inside,outside) interface 172.24.144.2 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 209.41.196.49 1
route inside 172.24.0.0 255.255.0.0 172.24.144.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password VUqiwARxRUrP/9X6 encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
snmp-server host inside 172.24.200.35 community tsatwic
no snmp-server location
no snmp-server contact
snmp-server community tsatwic
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.24.200.32 255.255.255.240 inside
telnet 172.24.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:17c6185c2239e56ecc560b947396f0d0
: end
[OK]
ASA5520#
---------------------------------
Want to be your own boss? Learn how on Yahoo! Small Business.
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART