jordi67
asked on
PPTP VPN through ASA5510,again
Hi again,
I'm applying for help again, in this area, cause somehow I'm not able to connect to a vpn server(which is an ISA2004), I tried to configure the following way(according to a previous help)
You need a 1-1 static nat with a 2nd public IP, then add an access-list (add to whatever acl you already have)
where <public ip> is not the same IP as your outside interface..
static (inside,outside) <public ip> <private ip> netmask 255.255.255.255
access-list outside_in permit gre any host <public ip>
access-list outside_in permit tcp any host <public ip> eq 1723
access-gropu outside_in in interface outside
my first Q is: where should I include the 2nd public IP, supposing I have on IP configured on the outside interface
second Q is: I have only on IP in the inside (192.168.1.2) which is an ISA2004 , this way I already have a 1-1 static nat with outside IP, how can I do a another static nat with the 2nd public IP
I think the config will show more what I mean
asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname xxxxxx
domain-name xxxxxx
enable password xxxxxxxxxxxx encrypted
names
name 212.108.200.64 EurowebSMTP
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 193.226.xxxx.xxx 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.45.6 255.255.255.0
management-only
!
passwd xxxxxxxxx encrypted
!
time-range work-days
periodic daily xxxx to xxxx
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 212.108.200.75
dns name-server 212.108.200.76
access-list outside_access_in extended permit tcp EurowebSMTP 255.255.255.192 interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https log time-range work-days
access-list nonat extended permit ip host 192.168.1.2 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging trap informational
logging asdm emergencies
logging host management 172.16.45.100 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mapeivpnpool 192.168.0.10-192.168.0.60
ip verify reverse-path interface outside
ip audit name AttackPolicy attack action alarm drop
ip audit name InfoPolicy info action alarm
ip audit interface outside InfoPolicy
ip audit interface outside AttackPolicy
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 193.226.209.94 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-t imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy salesgroup internal
group-policy salesgroup attributes
split-tunnel-policy tunnelall
split-tunnel-network-list none
webvpn
username xxxx password xxxxxxxx encrypted
username xxxxx password xxxxxxx encrypted privilege 3
username xxxxx password xxxxxxx encrypted
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 172.16.45.100 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set firstset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mapeimap 1 ipsec-isakmp dynamic dyn1
crypto map mapeimap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal 3600
isakmp ipsec-over-tcp port 10000
tunnel-group salesgroup type ipsec-ra
tunnel-group salesgroup general-attributes
address-pool mapeivpnpool
authentication-server-grou p none
default-group-policy salesgroup
tunnel-group salesgroup ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 172.16.45.100 255.255.255.255 management
ssh timeout 5
console timeout 3
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
: end
so , I just would like to allow users connect to vpn server (192.168.1.2) using pptp, I can
thanks alot for your help
I'm applying for help again, in this area, cause somehow I'm not able to connect to a vpn server(which is an ISA2004), I tried to configure the following way(according to a previous help)
You need a 1-1 static nat with a 2nd public IP, then add an access-list (add to whatever acl you already have)
where <public ip> is not the same IP as your outside interface..
static (inside,outside) <public ip> <private ip> netmask 255.255.255.255
access-list outside_in permit gre any host <public ip>
access-list outside_in permit tcp any host <public ip> eq 1723
access-gropu outside_in in interface outside
my first Q is: where should I include the 2nd public IP, supposing I have on IP configured on the outside interface
second Q is: I have only on IP in the inside (192.168.1.2) which is an ISA2004 , this way I already have a 1-1 static nat with outside IP, how can I do a another static nat with the 2nd public IP
I think the config will show more what I mean
asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname xxxxxx
domain-name xxxxxx
enable password xxxxxxxxxxxx encrypted
names
name 212.108.200.64 EurowebSMTP
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 193.226.xxxx.xxx 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.45.6 255.255.255.0
management-only
!
passwd xxxxxxxxx encrypted
!
time-range work-days
periodic daily xxxx to xxxx
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 212.108.200.75
dns name-server 212.108.200.76
access-list outside_access_in extended permit tcp EurowebSMTP 255.255.255.192 interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https log time-range work-days
access-list nonat extended permit ip host 192.168.1.2 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging trap informational
logging asdm emergencies
logging host management 172.16.45.100 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mapeivpnpool 192.168.0.10-192.168.0.60
ip verify reverse-path interface outside
ip audit name AttackPolicy attack action alarm drop
ip audit name InfoPolicy info action alarm
ip audit interface outside InfoPolicy
ip audit interface outside AttackPolicy
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 193.226.209.94 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy salesgroup internal
group-policy salesgroup attributes
split-tunnel-policy tunnelall
split-tunnel-network-list none
webvpn
username xxxx password xxxxxxxx encrypted
username xxxxx password xxxxxxx encrypted privilege 3
username xxxxx password xxxxxxx encrypted
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 172.16.45.100 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set firstset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mapeimap 1 ipsec-isakmp dynamic dyn1
crypto map mapeimap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal 3600
isakmp ipsec-over-tcp port 10000
tunnel-group salesgroup type ipsec-ra
tunnel-group salesgroup general-attributes
address-pool mapeivpnpool
authentication-server-grou
default-group-policy salesgroup
tunnel-group salesgroup ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 172.16.45.100 255.255.255.255 management
ssh timeout 5
console timeout 3
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
: end
so , I just would like to allow users connect to vpn server (192.168.1.2) using pptp, I can
thanks alot for your help
ASKER
static (inside,outside) tcp interface gre 192.168.1.2 gre netmask 255.255.255.25
^5
Hi,
I'm getting error when adding this command (invalid input detected at marker)??
^5
Hi,
I'm getting error when adding this command (invalid input detected at marker)??
Leave out that entry and try
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
only
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.25
the rule for gre is not working
I get error invalid command detected
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.25
the rule for gre is not working
I get error invalid command detected
Ok, that is fine. with that command is the pptp working ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
ok
I put the following commands
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255
then I put the access list
access-list outside_access_in line 3 extended permit tcp any interface outside eq pptp
I can get to verifying username and password , then connection closed
normal because the gre is not allowed,
I put the following commands
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255
then I put the access list
access-list outside_access_in line 3 extended permit tcp any interface outside eq pptp
I can get to verifying username and password , then connection closed
normal because the gre is not allowed,
Okay, so far so good. Now lets allow GRE too;
sysopt connection permit-pptp
put the command and see if it helps.
Cheers,
Rajesh
sysopt connection permit-pptp
put the command and see if it helps.
Cheers,
Rajesh
ASKER
nope, same error I get
invalid error at marker pptp
invalid error at marker pptp
Ok, now I see why :-) We don't have to enable GRE specifically since it will be opened from inside by the ISA server.
I found the reason though;
Unfortunately, 7.0 doesn't support PPTP; There is a TAC case collection and also a supporting document for the same;
http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K19136815
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/prod_release_note09186a008057a11d.html#wp162241
You need CCO account to view these, if you don't have then I can post the relevant part here.
So the answer would be, what we are trying to do is not possible, if it had been 6.x, then we could've done it.
Even this was news to me since I never worked on 7.x yet.
Cheers,
Rajesh
I found the reason though;
Unfortunately, 7.0 doesn't support PPTP; There is a TAC case collection and also a supporting document for the same;
http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K19136815
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/prod_release_note09186a008057a11d.html#wp162241
You need CCO account to view these, if you don't have then I can post the relevant part here.
So the answer would be, what we are trying to do is not possible, if it had been 6.x, then we could've done it.
Even this was news to me since I never worked on 7.x yet.
Cheers,
Rajesh
ASKER
Dear Rajesh
please can you publish it for me, I don't have a CCO yet
and many thanks for your kinds,
as we earlier talked before the users don't like to change their habits as you know , they are used to the pptp, I've already configured the cisco remote client and it works , but they can not login to the domain behind the ISA , I think I have to struggle to change this topology, maybe to put ISA on DMZ , don't know yet
please can you publish it for me, I don't have a CCO yet
and many thanks for your kinds,
as we earlier talked before the users don't like to change their habits as you know , they are used to the pptp, I've already configured the cisco remote client and it works , but they can not login to the domain behind the ISA , I think I have to struggle to change this topology, maybe to put ISA on DMZ , don't know yet
Features not Supported in Version 7.0
The following features are not supported in Version 7.0 (1) release:
•PPPoE
•L2TP over IPSec
•PPTP
This is the part from the second link, for the first link you don't need to have the CCO access!
Well, by the way using the Cisco IPSEC VPN Client you should be able to pass through the ISA to authenticate. Actually I did answer a question here; Lemme check and I'll post it in a minute.
Cheers,
Rajesh
The following features are not supported in Version 7.0 (1) release:
•PPPoE
•L2TP over IPSec
•PPTP
This is the part from the second link, for the first link you don't need to have the CCO access!
Well, by the way using the Cisco IPSEC VPN Client you should be able to pass through the ISA to authenticate. Actually I did answer a question here; Lemme check and I'll post it in a minute.
Cheers,
Rajesh
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
in the mean I was thinking the following
what if I configure a new IP on the external ISA network say 192.168.1.3
and add another public IP to the outside pool of the pix
and make a static 1-1 with the second public ip
and then add the access lists for pptp and gre
what do you think, should I try it?
what if I configure a new IP on the external ISA network say 192.168.1.3
and add another public IP to the outside pool of the pix
and make a static 1-1 with the second public ip
and then add the access lists for pptp and gre
what do you think, should I try it?
That might work but with Cisco saying it is not supported in 7.0, I'm not pretty sure about it at the same time. But believe me IPSEC is much better than PPTP. Both maintaining wise and configuration wise. But you can give it a try, no harm in it. If it turns out to be successful then we should wonder what that release notes from Cisco meant :-)
Also you got the point from the other question I answered right ?
Cheers,
Rajesh
Also you got the point from the other question I answered right ?
Cheers,
Rajesh
ASKER
I will give both a try, but you know if it works for the pptp then I may configure the ipsec with ISA this way it should be more secure,
I will let you know for sure
thanks
bye
I will let you know for sure
thanks
bye
ASKER
Hi
ok so I tried the pptp connection and it works perfect, the way I mentioned before,
to assiagn a 2nd public ip and give the isa another private ip
so the release notes for cisco is some how strange
ok so I tried the pptp connection and it works perfect, the way I mentioned before,
to assiagn a 2nd public ip and give the isa another private ip
so the release notes for cisco is some how strange
Oh really ? Then what do they mean?
hmm... could it be that may be the pptp is not supported to be terminated on PIX itself ?
Anyways, which way have you chosen to go ?
Cheers,
Rajesh
hmm... could it be that may be the pptp is not supported to be terminated on PIX itself ?
Anyways, which way have you chosen to go ?
Cheers,
Rajesh
ASKER
yes I think termination on pix what they mean.
for now I'm gonna use pptp with machine certificates, this way it will be secure enough , I think
for now I'm gonna use pptp with machine certificates, this way it will be secure enough , I think
Wokay... Njoy vpning...
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Thanks again dear Rajesh
ASKER
please forgive me , I forgot one more question if you permit,
later on If I want to use L2TP/IPSEC what ports I should allow in PIX? do you know
later on If I want to use L2TP/IPSEC what ports I should allow in PIX? do you know
No problem. You can see a full list of port numbers here http://www.iana.org/assignments/port-numbers
Add that URL to your favorities :-)
FOR L2TP:
tcp/1701
FOR IPSEC:
udp/500
Cheers,
Rajesh
Add that URL to your favorities :-)
FOR L2TP:
tcp/1701
FOR IPSEC:
udp/500
Cheers,
Rajesh
in the mean I was thinking the following
what if I configure a new IP on the external ISA network say 192.168.1.3
and add another public IP to the outside pool of the pix
and make a static 1-1 with the second public ip
and then add the access lists for pptp and gre
what do you think, should I try it?
could any one please clarify how i can do that as i have the same case,
what if I configure a new IP on the external ISA network say 192.168.1.3
and add another public IP to the outside pool of the pix
and make a static 1-1 with the second public ip
and then add the access lists for pptp and gre
what do you think, should I try it?
could any one please clarify how i can do that as i have the same case,
Just change the below;
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
TO;
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
static (inside,outside) tcp interface gre 192.168.1.2 gre netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255
and add the access-lists.
I would suggest doing the VPN on the PIX instead of ISA Server though.
Cheers,
Rajesh