Solved

PPTP VPN through ASA5510,again

Posted on 2006-07-18
23
1,895 Views
Last Modified: 2013-11-16
Hi again,
I'm applying for help again, in this area, cause somehow I'm not able to connect to a vpn server(which is an ISA2004), I tried to configure the following way(according to a previous help)

You need a 1-1 static nat with a 2nd public IP, then add an access-list (add to whatever acl you already have)
where <public ip> is not the same IP as your outside interface..
static (inside,outside) <public ip> <private ip> netmask 255.255.255.255
access-list outside_in permit gre any host <public ip>
access-list outside_in permit tcp any host <public ip> eq 1723
access-gropu outside_in in interface outside

my first Q is: where should I include the 2nd public IP, supposing I have on IP configured on the outside interface
second  Q is: I have only on IP in the inside (192.168.1.2) which is an ISA2004 , this way I already have a 1-1 static nat with outside IP, how can I do a another static nat with the 2nd public IP

I think the config will show more what I mean

asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname xxxxxx
domain-name xxxxxx
enable password xxxxxxxxxxxx encrypted
names
name 212.108.200.64 EurowebSMTP
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 193.226.xxxx.xxx 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.16.45.6 255.255.255.0
 management-only
!
passwd xxxxxxxxx encrypted
!
time-range work-days
 periodic daily xxxx to xxxx
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 212.108.200.75
dns name-server 212.108.200.76
access-list outside_access_in extended permit tcp EurowebSMTP 255.255.255.192 interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https log time-range work-days
access-list nonat extended permit ip host 192.168.1.2 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging trap informational
logging asdm emergencies
logging host management 172.16.45.100 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mapeivpnpool 192.168.0.10-192.168.0.60
ip verify reverse-path interface outside
ip audit name AttackPolicy attack action alarm drop
ip audit name InfoPolicy info action alarm
ip audit interface outside InfoPolicy
ip audit interface outside AttackPolicy
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 193.226.209.94 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy salesgroup internal
group-policy salesgroup attributes
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 webvpn
username xxxx password xxxxxxxx encrypted
username xxxxx password xxxxxxx encrypted privilege 3
username xxxxx password xxxxxxx encrypted
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 172.16.45.100 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set firstset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mapeimap 1 ipsec-isakmp dynamic dyn1
crypto map mapeimap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal  3600
isakmp ipsec-over-tcp port 10000
tunnel-group salesgroup type ipsec-ra
tunnel-group salesgroup general-attributes
 address-pool mapeivpnpool
 authentication-server-group none
 default-group-policy salesgroup
tunnel-group salesgroup ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 172.16.45.100 255.255.255.255 management
ssh timeout 5
console timeout 3
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
: end
so , I just would like to allow users connect to vpn server (192.168.1.2) using pptp, I can
thanks alot for your help

0
Comment
Question by:jordi67
  • 11
  • 11
23 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17129464
You already have a static translation so you can use the same;

Just change the below;

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255

TO;

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
static (inside,outside) tcp interface gre 192.168.1.2 gre netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255


and add the access-lists.

I would suggest doing the VPN on the PIX instead of ISA Server though.

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17129541
static (inside,outside) tcp interface gre 192.168.1.2 gre netmask 255.255.255.25                                      
                                                  ^5
Hi,
I'm getting error when adding this command (invalid input detected at marker)??

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17130181
Leave out that entry and try

Cheers,
Rajesh
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jordi67
ID: 17130254
only
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.25
the rule for gre is not working
I get error invalid command detected
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17130282
Ok, that is fine. with that command is the pptp working ?

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17130475
ok
I put the following commands
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255
then I put the access list
access-list outside_access_in line 3 extended permit tcp any interface outside eq pptp

I can get to verifying username and password , then connection closed
normal because the gre is not allowed,
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17131057
Okay, so far so good. Now lets allow GRE too;

sysopt connection permit-pptp


put the command and see if it helps.

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17131111
nope, same error I get
invalid error at marker pptp
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17131200
Ok, now I see why :-) We don't have to enable GRE specifically since it will be opened from inside by the ISA server.

I found the reason though;

Unfortunately, 7.0 doesn't support PPTP; There is a TAC case collection and also a supporting document for the same;


http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K19136815

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/prod_release_note09186a008057a11d.html#wp162241

You need CCO account to view these, if you don't have then I can post the relevant part here.

So the answer would be, what we are trying to do is not possible, if it had been 6.x, then we could've done it.

Even this was news to me since I never worked on 7.x yet.

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17131276
Dear Rajesh
please can you publish it for me, I don't have a CCO yet
and many thanks for your kinds,

as we earlier talked before the users don't like to change their habits as you know , they are used to the pptp, I've already configured the cisco remote client and it works , but they can not login to the domain behind the ISA , I think I have to struggle to change this topology, maybe to put ISA on DMZ , don't know yet
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17131320
Features not Supported in Version 7.0
The following features are not supported in Version 7.0 (1) release:

•PPPoE

•L2TP over IPSec

•PPTP



This is the part from the second link, for the first link you don't need to have the CCO access!

Well, by the way using the Cisco IPSEC VPN Client you should be able to pass through the ISA to authenticate. Actually I did answer a question here; Lemme check and I'll post it in a minute.

Cheers,
Rajesh
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 250 total points
ID: 17131338
Okay, here it is. This is exactly what you want;

http://www.experts-exchange.com/Security/Q_21917897.html

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17131397
in the mean I was thinking the following
what if I configure a new IP on the external ISA network say 192.168.1.3
and add another public IP to the outside pool of the pix
and make a static 1-1 with the second public ip
and then add the access lists for pptp and gre
what do you think, should I try it?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17131741
That might work but with Cisco saying it is not supported in 7.0, I'm not pretty sure about it at the same time. But believe me IPSEC is much better than PPTP. Both maintaining wise and configuration wise. But you can give it a try, no harm in it. If it turns out to be successful then we should wonder what that release notes from Cisco meant :-)

Also you got the point from the other question I answered right ?


Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17131770
I will give both a try, but you know if it works for the pptp then I may configure the ipsec with ISA this way it should be more secure,
I will let you know for sure

thanks
bye
0
 

Author Comment

by:jordi67
ID: 17137350
Hi
ok so I tried the pptp connection and it works perfect, the way I mentioned before,
to assiagn a 2nd public ip and give the isa another private ip
so the release notes for cisco is some how strange
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17137660
Oh really ? Then what do they mean?

hmm... could it be that may be the pptp is not supported to be terminated on PIX itself ?

Anyways, which way have you chosen to go ?

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17137977
yes I think termination on pix what they mean.
for now I'm gonna use pptp with machine certificates, this way it will be secure enough , I think
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17138078
Wokay... Njoy vpning...

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17138366
Thanks again dear Rajesh
0
 

Author Comment

by:jordi67
ID: 17138398
please forgive me , I forgot one more question if you permit,
later on If I want to use L2TP/IPSEC what ports I should allow in PIX? do you know
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17138423
No problem. You can see a full list of port numbers here http://www.iana.org/assignments/port-numbers

Add that URL to your favorities :-)

FOR L2TP:

tcp/1701

FOR IPSEC:

udp/500

Cheers,
Rajesh
0
 

Expert Comment

by:A_M_R
ID: 22772036
in the mean I was thinking the following
what if I configure a new IP on the external ISA network say 192.168.1.3
and add another public IP to the outside pool of the pix
and make a static 1-1 with the second public ip
and then add the access lists for pptp and gre
what do you think, should I try it?


could any one please clarify how i can do that as i have the same case,
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
sftp access 4 52
How to create one more DMZ subnet? 8 72
iptables ubuntu BLOCK all 2 84
Palo Alto Networks FW: Can you view bw utilization of specific tunnels? 2 68
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question