Solved

PPTP VPN through ASA5510,again

Posted on 2006-07-18
23
1,886 Views
Last Modified: 2013-11-16
Hi again,
I'm applying for help again, in this area, cause somehow I'm not able to connect to a vpn server(which is an ISA2004), I tried to configure the following way(according to a previous help)

You need a 1-1 static nat with a 2nd public IP, then add an access-list (add to whatever acl you already have)
where <public ip> is not the same IP as your outside interface..
static (inside,outside) <public ip> <private ip> netmask 255.255.255.255
access-list outside_in permit gre any host <public ip>
access-list outside_in permit tcp any host <public ip> eq 1723
access-gropu outside_in in interface outside

my first Q is: where should I include the 2nd public IP, supposing I have on IP configured on the outside interface
second  Q is: I have only on IP in the inside (192.168.1.2) which is an ISA2004 , this way I already have a 1-1 static nat with outside IP, how can I do a another static nat with the 2nd public IP

I think the config will show more what I mean

asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname xxxxxx
domain-name xxxxxx
enable password xxxxxxxxxxxx encrypted
names
name 212.108.200.64 EurowebSMTP
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 193.226.xxxx.xxx 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.16.45.6 255.255.255.0
 management-only
!
passwd xxxxxxxxx encrypted
!
time-range work-days
 periodic daily xxxx to xxxx
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 212.108.200.75
dns name-server 212.108.200.76
access-list outside_access_in extended permit tcp EurowebSMTP 255.255.255.192 interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https log time-range work-days
access-list nonat extended permit ip host 192.168.1.2 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging trap informational
logging asdm emergencies
logging host management 172.16.45.100 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mapeivpnpool 192.168.0.10-192.168.0.60
ip verify reverse-path interface outside
ip audit name AttackPolicy attack action alarm drop
ip audit name InfoPolicy info action alarm
ip audit interface outside InfoPolicy
ip audit interface outside AttackPolicy
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 193.226.209.94 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy salesgroup internal
group-policy salesgroup attributes
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 webvpn
username xxxx password xxxxxxxx encrypted
username xxxxx password xxxxxxx encrypted privilege 3
username xxxxx password xxxxxxx encrypted
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 172.16.45.100 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set firstset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mapeimap 1 ipsec-isakmp dynamic dyn1
crypto map mapeimap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal  3600
isakmp ipsec-over-tcp port 10000
tunnel-group salesgroup type ipsec-ra
tunnel-group salesgroup general-attributes
 address-pool mapeivpnpool
 authentication-server-group none
 default-group-policy salesgroup
tunnel-group salesgroup ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 172.16.45.100 255.255.255.255 management
ssh timeout 5
console timeout 3
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
: end
so , I just would like to allow users connect to vpn server (192.168.1.2) using pptp, I can
thanks alot for your help

0
Comment
Question by:jordi67
  • 11
  • 11
23 Comments
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
You already have a static translation so you can use the same;

Just change the below;

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255

TO;

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
static (inside,outside) tcp interface gre 192.168.1.2 gre netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255


and add the access-lists.

I would suggest doing the VPN on the PIX instead of ISA Server though.

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
Comment Utility
static (inside,outside) tcp interface gre 192.168.1.2 gre netmask 255.255.255.25                                      
                                                  ^5
Hi,
I'm getting error when adding this command (invalid input detected at marker)??

0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Leave out that entry and try

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
Comment Utility
only
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.25
the rule for gre is not working
I get error invalid command detected
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Ok, that is fine. with that command is the pptp working ?

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
Comment Utility
ok
I put the following commands
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255
then I put the access list
access-list outside_access_in line 3 extended permit tcp any interface outside eq pptp

I can get to verifying username and password , then connection closed
normal because the gre is not allowed,
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Okay, so far so good. Now lets allow GRE too;

sysopt connection permit-pptp


put the command and see if it helps.

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
Comment Utility
nope, same error I get
invalid error at marker pptp
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Ok, now I see why :-) We don't have to enable GRE specifically since it will be opened from inside by the ISA server.

I found the reason though;

Unfortunately, 7.0 doesn't support PPTP; There is a TAC case collection and also a supporting document for the same;


http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K19136815

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/prod_release_note09186a008057a11d.html#wp162241

You need CCO account to view these, if you don't have then I can post the relevant part here.

So the answer would be, what we are trying to do is not possible, if it had been 6.x, then we could've done it.

Even this was news to me since I never worked on 7.x yet.

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
Comment Utility
Dear Rajesh
please can you publish it for me, I don't have a CCO yet
and many thanks for your kinds,

as we earlier talked before the users don't like to change their habits as you know , they are used to the pptp, I've already configured the cisco remote client and it works , but they can not login to the domain behind the ISA , I think I have to struggle to change this topology, maybe to put ISA on DMZ , don't know yet
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Features not Supported in Version 7.0
The following features are not supported in Version 7.0 (1) release:

•PPPoE

•L2TP over IPSec

•PPTP



This is the part from the second link, for the first link you don't need to have the CCO access!

Well, by the way using the Cisco IPSEC VPN Client you should be able to pass through the ISA to authenticate. Actually I did answer a question here; Lemme check and I'll post it in a minute.

Cheers,
Rajesh
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Accepted Solution

by:
rsivanandan earned 250 total points
Comment Utility
Okay, here it is. This is exactly what you want;

http://www.experts-exchange.com/Security/Q_21917897.html

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
Comment Utility
in the mean I was thinking the following
what if I configure a new IP on the external ISA network say 192.168.1.3
and add another public IP to the outside pool of the pix
and make a static 1-1 with the second public ip
and then add the access lists for pptp and gre
what do you think, should I try it?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
That might work but with Cisco saying it is not supported in 7.0, I'm not pretty sure about it at the same time. But believe me IPSEC is much better than PPTP. Both maintaining wise and configuration wise. But you can give it a try, no harm in it. If it turns out to be successful then we should wonder what that release notes from Cisco meant :-)

Also you got the point from the other question I answered right ?


Cheers,
Rajesh
0
 

Author Comment

by:jordi67
Comment Utility
I will give both a try, but you know if it works for the pptp then I may configure the ipsec with ISA this way it should be more secure,
I will let you know for sure

thanks
bye
0
 

Author Comment

by:jordi67
Comment Utility
Hi
ok so I tried the pptp connection and it works perfect, the way I mentioned before,
to assiagn a 2nd public ip and give the isa another private ip
so the release notes for cisco is some how strange
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Oh really ? Then what do they mean?

hmm... could it be that may be the pptp is not supported to be terminated on PIX itself ?

Anyways, which way have you chosen to go ?

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
Comment Utility
yes I think termination on pix what they mean.
for now I'm gonna use pptp with machine certificates, this way it will be secure enough , I think
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Wokay... Njoy vpning...

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
Comment Utility
Thanks again dear Rajesh
0
 

Author Comment

by:jordi67
Comment Utility
please forgive me , I forgot one more question if you permit,
later on If I want to use L2TP/IPSEC what ports I should allow in PIX? do you know
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
No problem. You can see a full list of port numbers here http://www.iana.org/assignments/port-numbers

Add that URL to your favorities :-)

FOR L2TP:

tcp/1701

FOR IPSEC:

udp/500

Cheers,
Rajesh
0
 

Expert Comment

by:A_M_R
Comment Utility
in the mean I was thinking the following
what if I configure a new IP on the external ISA network say 192.168.1.3
and add another public IP to the outside pool of the pix
and make a static 1-1 with the second public ip
and then add the access lists for pptp and gre
what do you think, should I try it?


could any one please clarify how i can do that as i have the same case,
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now