Link to home
Start Free TrialLog in
Avatar of jordi67
jordi67

asked on

PPTP VPN through ASA5510,again

Hi again,
I'm applying for help again, in this area, cause somehow I'm not able to connect to a vpn server(which is an ISA2004), I tried to configure the following way(according to a previous help)

You need a 1-1 static nat with a 2nd public IP, then add an access-list (add to whatever acl you already have)
where <public ip> is not the same IP as your outside interface..
static (inside,outside) <public ip> <private ip> netmask 255.255.255.255
access-list outside_in permit gre any host <public ip>
access-list outside_in permit tcp any host <public ip> eq 1723
access-gropu outside_in in interface outside

my first Q is: where should I include the 2nd public IP, supposing I have on IP configured on the outside interface
second  Q is: I have only on IP in the inside (192.168.1.2) which is an ISA2004 , this way I already have a 1-1 static nat with outside IP, how can I do a another static nat with the 2nd public IP

I think the config will show more what I mean

asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname xxxxxx
domain-name xxxxxx
enable password xxxxxxxxxxxx encrypted
names
name 212.108.200.64 EurowebSMTP
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 193.226.xxxx.xxx 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.16.45.6 255.255.255.0
 management-only
!
passwd xxxxxxxxx encrypted
!
time-range work-days
 periodic daily xxxx to xxxx
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 212.108.200.75
dns name-server 212.108.200.76
access-list outside_access_in extended permit tcp EurowebSMTP 255.255.255.192 interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https log time-range work-days
access-list nonat extended permit ip host 192.168.1.2 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging trap informational
logging asdm emergencies
logging host management 172.16.45.100 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mapeivpnpool 192.168.0.10-192.168.0.60
ip verify reverse-path interface outside
ip audit name AttackPolicy attack action alarm drop
ip audit name InfoPolicy info action alarm
ip audit interface outside InfoPolicy
ip audit interface outside AttackPolicy
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 193.226.209.94 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy salesgroup internal
group-policy salesgroup attributes
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 webvpn
username xxxx password xxxxxxxx encrypted
username xxxxx password xxxxxxx encrypted privilege 3
username xxxxx password xxxxxxx encrypted
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 172.16.45.100 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set firstset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mapeimap 1 ipsec-isakmp dynamic dyn1
crypto map mapeimap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal  3600
isakmp ipsec-over-tcp port 10000
tunnel-group salesgroup type ipsec-ra
tunnel-group salesgroup general-attributes
 address-pool mapeivpnpool
 authentication-server-group none
 default-group-policy salesgroup
tunnel-group salesgroup ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 172.16.45.100 255.255.255.255 management
ssh timeout 5
console timeout 3
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
: end
so , I just would like to allow users connect to vpn server (192.168.1.2) using pptp, I can
thanks alot for your help

Avatar of rsivanandan
rsivanandan
Flag of India image

You already have a static translation so you can use the same;

Just change the below;

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255

TO;

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
static (inside,outside) tcp interface gre 192.168.1.2 gre netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255


and add the access-lists.

I would suggest doing the VPN on the PIX instead of ISA Server though.

Cheers,
Rajesh
Avatar of jordi67
jordi67

ASKER

static (inside,outside) tcp interface gre 192.168.1.2 gre netmask 255.255.255.25                                      
                                                  ^5
Hi,
I'm getting error when adding this command (invalid input detected at marker)??

Leave out that entry and try

Cheers,
Rajesh
Avatar of jordi67

ASKER

only
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.25
the rule for gre is not working
I get error invalid command detected
Ok, that is fine. with that command is the pptp working ?

Cheers,
Rajesh
Avatar of jordi67

ASKER

ok
I put the following commands
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255
then I put the access list
access-list outside_access_in line 3 extended permit tcp any interface outside eq pptp

I can get to verifying username and password , then connection closed
normal because the gre is not allowed,
Okay, so far so good. Now lets allow GRE too;

sysopt connection permit-pptp


put the command and see if it helps.

Cheers,
Rajesh
Avatar of jordi67

ASKER

nope, same error I get
invalid error at marker pptp
Ok, now I see why :-) We don't have to enable GRE specifically since it will be opened from inside by the ISA server.

I found the reason though;

Unfortunately, 7.0 doesn't support PPTP; There is a TAC case collection and also a supporting document for the same;


http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K19136815

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/prod_release_note09186a008057a11d.html#wp162241

You need CCO account to view these, if you don't have then I can post the relevant part here.

So the answer would be, what we are trying to do is not possible, if it had been 6.x, then we could've done it.

Even this was news to me since I never worked on 7.x yet.

Cheers,
Rajesh
Avatar of jordi67

ASKER

Dear Rajesh
please can you publish it for me, I don't have a CCO yet
and many thanks for your kinds,

as we earlier talked before the users don't like to change their habits as you know , they are used to the pptp, I've already configured the cisco remote client and it works , but they can not login to the domain behind the ISA , I think I have to struggle to change this topology, maybe to put ISA on DMZ , don't know yet
Features not Supported in Version 7.0
The following features are not supported in Version 7.0 (1) release:

•PPPoE

•L2TP over IPSec

•PPTP



This is the part from the second link, for the first link you don't need to have the CCO access!

Well, by the way using the Cisco IPSEC VPN Client you should be able to pass through the ISA to authenticate. Actually I did answer a question here; Lemme check and I'll post it in a minute.

Cheers,
Rajesh
ASKER CERTIFIED SOLUTION
Avatar of rsivanandan
rsivanandan
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jordi67

ASKER

in the mean I was thinking the following
what if I configure a new IP on the external ISA network say 192.168.1.3
and add another public IP to the outside pool of the pix
and make a static 1-1 with the second public ip
and then add the access lists for pptp and gre
what do you think, should I try it?
That might work but with Cisco saying it is not supported in 7.0, I'm not pretty sure about it at the same time. But believe me IPSEC is much better than PPTP. Both maintaining wise and configuration wise. But you can give it a try, no harm in it. If it turns out to be successful then we should wonder what that release notes from Cisco meant :-)

Also you got the point from the other question I answered right ?


Cheers,
Rajesh
Avatar of jordi67

ASKER

I will give both a try, but you know if it works for the pptp then I may configure the ipsec with ISA this way it should be more secure,
I will let you know for sure

thanks
bye
Avatar of jordi67

ASKER

Hi
ok so I tried the pptp connection and it works perfect, the way I mentioned before,
to assiagn a 2nd public ip and give the isa another private ip
so the release notes for cisco is some how strange
Oh really ? Then what do they mean?

hmm... could it be that may be the pptp is not supported to be terminated on PIX itself ?

Anyways, which way have you chosen to go ?

Cheers,
Rajesh
Avatar of jordi67

ASKER

yes I think termination on pix what they mean.
for now I'm gonna use pptp with machine certificates, this way it will be secure enough , I think
Wokay... Njoy vpning...

Cheers,
Rajesh
Avatar of jordi67

ASKER

Thanks again dear Rajesh
Avatar of jordi67

ASKER

please forgive me , I forgot one more question if you permit,
later on If I want to use L2TP/IPSEC what ports I should allow in PIX? do you know
No problem. You can see a full list of port numbers here http://www.iana.org/assignments/port-numbers

Add that URL to your favorities :-)

FOR L2TP:

tcp/1701

FOR IPSEC:

udp/500

Cheers,
Rajesh
in the mean I was thinking the following
what if I configure a new IP on the external ISA network say 192.168.1.3
and add another public IP to the outside pool of the pix
and make a static 1-1 with the second public ip
and then add the access lists for pptp and gre
what do you think, should I try it?


could any one please clarify how i can do that as i have the same case,