Content Filtering Client Control access to unwanted and unsecure web content.Capture Client Stop advanced threats and rollback the damage caused by malware.Cloud Firewall (NS v) Next-generation firewall capabilities in the cloud.Cloud App Security Visibility and security for Cloud Apps.Email Security Protect against today’s advanced email threats.Switches High-speed network switching for business connectivity.Wireless Access Points Easy to manage, fast and secure Wi-FI.Secure Mobile Access Remote, best-in-class, secure access.Cloud Edge Secure Access Deploy Zero-Trust Security in minutes.Capture Security appliance Advanced Threat Protection for modern threat landscape.Capture ATP Multi-engine advanced threat detection.Network Security Manager Modern Security Management for today’s security landscape.Security Services Comprehensive security for your network security solution.Next Generation Firewall Next-generation firewall for SMB, Enterprise, and Government.
Also noted that both Phase1 and Phase2 are completed which tells me that ISAKMP and IPSec are successful, but the firewall simply does not know how to dish out IP address to the client. Did the L2TP test and the firewall returned with error message “IPAA: Error freeing IP address 0.0.0.0”. Once this is done, I’ve disassociate the IP Pool from the DefaultRAGroup TG (otherwise known as Connection Profiles in later OS) so the IP Pool for this TG is nothing (empty). I have tried this method by creating multiple TGs an associate each one to different IP Pools. Problem now is that you cannot associate (lock) a single DefaultRAGroup Group Policy to multiple TGs. I know that you can associate each user to a particular tunnel group (TG) policy, at which point you can create multiple TGs that associate to different IP Pools. The Group Policy (tunnel group) is configured for Pre-Shared secret (just like the tutorial) and the users are created locally in LOCAL AAA server. My dilemma at the moment is working out how to connect multiples L2TP clients AND associate the clients to different local IP Address Pools configured locally on the firewall (ASA5510). You will often see “All IPSec SA proposals found unacceptable” because of this problem. If you have multiple dynamic crypto maps, then you need to make your L2TP crypto map has a higher priority than the others. The below video has me configuring this from a blank box, so you will see me get an IP on the ASA and then enabling ASDM. There are a couple of gotchas in the configuration, namely the group policy needing IPSec checked as well as dropping PFS in the crypto map.
The configuration of the ASA and the client is covered in the video.
Windows has conveniently included an L2TP client right in the OS, so there is nothing to install, just a few things to configure. What the ASA does is to encrypt the transit with IPSec, thus protecting the payload. L2TP is built off of PPP and by itself provides no encryption. So a viable option is to use the anyconnect client with SSL VPN, though a 50 pack of VPN clients will cost you around $3K…no thanks! What you can do is use L2TP on your ASA.
Windows 7 does have an XP compaitibility mode that works around this, but for you XP and Vista folks running 64 bit, this won’t do you any good.
This is because the IPSec client is 32 bit and also needs to install a 32 bit driver, which won’t work on a 64 bit system. Alrighty! Now that 64 bit windows is getting more prevalent, it is getting harder to get the Cisco IPSec client installed.