取消
显示结果 
搜索替代 
您的意思是: 
cancel
3276
查看次数
0
有帮助
0
回复

ASA5520 L2TP OVER IPSEC问题

tao.li
Level 3
Level 3


有没有朋友碰到过,请帮忙看一下是那里出了问题。
ASA5520上配置了L2TP VPN通过XP自带VPN软件拨入没有任何反应。
ASA5520上的报错信息为:
%ASA-7-710005: UDP request discarded from 115.206.117.182/1701 to outside:60.180.200.34/1701
设备配置如下:
ciscoasa# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
enable password llz2BTCfp.V1ZiUB encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 60.180.200.34 255.255.255.224
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.248
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd llz2BTCfp.V1ZiUB encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name chder.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
ccess-list nonat extended permit ip 192.168.0.0 255.255.0.0 172.16.10.0 255.255.255.0
access-list outside_access_server extended permit udp any host 60.180.200.34 eq 1701
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit icmp any any
access-list dmz extended permit ip any any
access-list l2tp extended permit ip host 60.180.200.34 any
pager lines 24
logging enable
logging buffer-size 40960
logging buffered debugging
mtu outside 1500
mtu dmz 1500
mtu inside 1500
ip local pool vpn-pool 172.16.10.100-172.16.10.200
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any dmz
icmp permit any inside
asdm image disk0:/ASDM-523.BIN
no asdm history enable
arp timeout 14400
global (outside) 1 60.180.200.35
nat (dmz) 1 192.168.20.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.0.0
access-group outside_access_server in interface outside
access-group dmz in interface dmz
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 60.180.200.33 1
route inside 192.168.0.0 255.255.0.0 192.168.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp dmz
sysopt noproxyarp inside
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 match address l2tp
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.1.1
dns-server value 192.168.1.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value vpn.cisco.com
username cisco password HVEXQSaKn76cENr5 encrypted
username cisco attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool vpn-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
prompt hostname context
Cryptochecksum:ec8c7ba9c4d232eb70ed9b8894d2b0b4
: end


问题已解决。
将注册表中的HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters。下面的ProhibitIpSec键删除后重启电脑后,可以正常连接了。


0 条回复0
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接