Solved

How to configure ASA 5540 to allow inside clients to access outside vpns erver using MS pptp vpn.

Posted on 2007-11-17
33
3,356 Views
Last Modified: 2012-08-13
We are behing cisco ASA 5540. Due to some business reasons some of our users need to use MS PPTP VPN client to connect a remote vpn server. But ASA firewall does nto allow them to do so. When they initiate connection, it just stops at "verifying username and password". and then gives error 619. Connection could not be established. I feel there is something to be done on ASA 5540 to allow reverse traffic. I need to know the exact commands I need to perform on the ASA.
Thanks
0
Comment
Question by:pkabbas
  • 14
  • 13
33 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Try adding a pptp inspect:

  policy-map global_policy
    class inspection_default
      inspect pptp

0
 

Author Comment

by:pkabbas
Comment Utility
Thanks Irmoore, I added this but it did not work. Well, I am pasting the configuration down here for further details if needed to help me:-
ASA Version 7.0(6)
!
hostname RUH-HO-FW-F04C201
domain-name samaair.com
enable password ********** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description Connected To RUH-HO-CS-F04C101 Port Gig1/3
 speed 100
 duplex full
 nameif LAN
 security-level 100
 ip address *.*.*.* 255.255.255.252
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif WAN
 security-level 0
 ip address *.*.*.* 255.255.255.240
!
interface GigabitEthernet0/2
 nameif DMZ2
 security-level 90
 ip address *.*.*.* 255.255.255.0
!
interface GigabitEthernet0/3
 speed 1000
 duplex full
 nameif DMZ1
 security-level 95
 ip address *.*.*.* 255.255.255.0
!
interface Management0/0
 nameif MGT
 security-level 100
 ip address 192.168.1.1 255.255.255.0
  management-only
!
passwd ******* encrypted
ftp mode passive
access-list ACL-SPLIT standard permit *.*.*.* 255.255.255.0
access-list ACL-SPLIT standard permit *.*.*.* 255.255.255.0
access-list ACL-SPLIT standard permit *.*.*.* 255.255.255.0
access-list ACL-SPLIT standard permit *.*.*.* 255.255.255.0
access-list ACL-WAN extended permit icmp host *.*.*.* host *.*.*.* echo-reply
access-list ACL-WAN extended permit icmp host *.*.*.* host *.*.*.* echo-reply
access-list ACL-WAN extended permit icmp host *.*.*.* host *.*.*.* echo-reply
access-list ACL-WAN extended permit icmp host *.*.*.* host *.*.*.* echo-reply
access-list ACL-WAN extended permit icmp host *.*.*.* host *.*.*.* echo-reply
access-list ACL-WAN extended permit icmp host *.*.*.*2 host *.*.*.* echo-reply
access-list ACL-WAN extended permit icmp *.*.*.**.*.*.**.*.*.**.*.*.**.*.*.**.*.*.**.*.*.* echo-reply
access-list ACL-WAN extended permit udp any interface WAN eq isakmp
access-list ACL-WAN extended permit esp any interface WAN
access-list ACL-WAN extended permit ah any interface WAN
access-list ACL-WAN extended permit tcp any host *.*.*.* eq www
access-list ACL-WAN extended permit tcp any host *.*.*.* eq https
access-list ACL-DMZ1 extended permit icmp any any echo-reply
access-list ACL-DMZ1 extended permit icmp any any source-quench
access-list ACL-DMZ1 extended permit icmp any any unreachable
access-list ACL-DMZ1 extended permit icmp any any time-exceeded
access-list ACL-DMZ1 extended permit icmp any any
access-list ACL-DMZ1 extended permit esp any any
access-list ACL-DMZ1 extended permit ah any any

pager lines 20
logging enable
logging asdm informational
mtu LAN 1500
mtu WAN 1300
mtu DMZ2 1500
mtu DMZ1 1500

 mtu MGT 1500
ip local pool corporate-pool *.*.*.**.*.*.* mask 255.255.255.224
ip local pool support-pool *.*.*.**.*.*.* mask 255.255.255.240
ip local pool vendor-pool *.*.*.**.*.*.* mask 255.255.255.240
no failover
icmp permit any LAN
icmp permit any WAN
icmp permit any DMZ1
asdm image disk0:/asdm-504.bin
no asdm history enable
arp timeout 14400
nat-control
global (WAN) 1 *.*.*.*
nat (LAN) 0 access-list ACL-NONAT
nat (LAN) 1 *.*.*.* 255.255.255.240
nat (LAN) 1 *.*.*.* 255.255.255.0

nat (DMZ2) 0 access-list ACL-NONAT
nat (DMZ2) *.*.*.* 255.255.255.0
nat (DMZ1) 0 access-list ACL-NONAT
nat (DMZ1) *.*.*.*1 255.255.255.255
static (LAN,WAN) *.*.*.**.*.*.* netmask 255.255.255.255
static (DMZ2,WAN) *.*.*.**.*.*.* netmask 255.255.255.255
static (LAN,WAN) *.*.*.**.*.*.* netmask 255.255.255.255
static (DMZ2,WAN) *.*.*.**.*.*.* netmask 255.255.255.255
static (DMZ2,WAN) *.*.*.**.*.*.* netmask 255.255.255.255
static (DMZ1,WAN) *.*.*.**.*.*.* netmask 255.255.255.255
static (DMZ2,WAN) *.*.*.**.*.*.* netmask 255.255.255.255
access-group ACL-LAN in interface LAN
access-group ACL-WAN in interface WAN
access-group ACL-DMZ2 in interface DMZ2
access-group ACL-DMZ1 in interface DMZ1
route LAN *.*.*.* 255.255.0.0 *.*.*.* 1
route LAN *.*.*.* 255.255.255.0 *.*.*.* 1
route WAN 0.0.0.0 0.0.0.0 *.*.*.* 1
route WAN 0.0.0.0 0.0.0.0 *.*.*.* tunneled
!
router ospf 1
 network *.*.*.* 255.255.255.0 area 0
 network *.*.*.* 255.255.255.0 area 0
 network *.*.*.*0 255.255.255.0 area 0
 area 0
 log-adj-changes
 default-information originate metric 1
 summary-address *.*.*.* 255.255.0.0
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy test-policy internal
group-policy test-policy attributes
 banner value Test Group Authorized Only!
banner value Test Group Authorized Only!
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock value test-group
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-SPLIT
 default-domain none
  split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy support-group-policy internal
group-policy support-group-policy attributes
 banner value Support Group Authorized Only!
 banner value Support Group Authorized Only!
 banner value Support Group Authorized Only!
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock value support-group
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
username ******* password ************** encrypted privilege 15
username ******* attributes
 vpn-tunnel-protocol IPSec
 group-lock value support-group
 webvpn
username ***** password ********** encrypted
username ***** password ************ encrypted privilege 15
username ****** attributes
 vpn-tunnel-protocol IPSec webvpn
 group-lock value test-group
webvpn
username *** password ******* encrypted
username ***** password L****** encrypted
http server enable
http *.*.*.* 255.255.0.0 LAN
http *.*.*.* 255.255.224.0 WAN
http *.*.*.* 255.255.255.0 MGT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPNSet esp-3des esp-md5-hmac
crypto ipsec transform-set NAVTECH-SET esp-3des esp-md5-hmac
crypto dynamic-map genevadyn 20 set transform-set VPNSet
crypto dynamic-map genevadyn 20 set reverse-route
crypto map genevamap 10 match address NAVTECH-VPN
crypto map genevamap 10 set peer *.*.*.*
crypto map genevamap 10 set transform-set NAVTECH-SET
crypto map genevamap 20 ipsec-isakmp dynamic genevadyn
crypto map genevamap interface WAN
isakmp identity address
isakmp enable WAN
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp disconnect-notify
tunnel-group genevagroup type ipsec-ra
tunnel-group genevagroup general-attributes
 address-pool vendor-pool
tunnel-group genevagroup ipsec-attributes
 pre-shared-key *
tunnel-group test-group type ipsec-ra
tunnel-group test-group general-attributes
 address-pool support-pool
 default-group-policy test-policy
tunnel-group test-group ipsec-attributes
 pre-shared-key *
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
pre-shared-key *
tunnel-group sama-vpn type ipsec-l2l
tunnel-group sama-vpn ipsec-attributes
 pre-shared-key *
tunnel-group support-group type ipsec-ra
tunnel-group support-group general-attributes
 address-pool support-pool
 default-group-policy support-group-policy
tunnel-group support-group ipsec-attributes
 pre-shared-key *
telnet *.*.*.* 255.255.255.0 LAN
telnet timeout 5
ssh *.*.*.* 255.255.224.0 WAN
ssh timeout 5
console timeout 0
management-access LAN
dhcpd address *.*.*.**.*.*.**.*.*.* MGT
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable MGT
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
      
!
Cryptochecksum:****************************
: end
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>access-group ACL-LAN in interface LAN
Start by removing the acl from the inside interface
If that works, then you know it is the acl that is restricting the pptp tunnels.
I do not even see any ACL-LAN definition in your config, so I cannot evaluate it.
0
 

Author Comment

by:pkabbas
Comment Utility
access-list ACL-LAN extended permit ip any any

I have this on LAN,, is there any ACL you can suggest which I can add on ACL-LAN to allow pptp.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
no access-group ACL-LAN in interface LAN

Since default is to allow any any, then you don't need to specify any acl.
I would remove it completely from the interface.
0
 

Author Comment

by:pkabbas
Comment Utility
If I remove ACL from LAN interface, I doubt if it affect other traffic as I have two DMZ zone configured as well. What do you think?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
It will not affect any other traffic
0
 

Author Comment

by:pkabbas
Comment Utility
Well, I did remove the ACL from LAN Interface btu still there is no difference.
0
 

Author Comment

by:pkabbas
Comment Utility
I have another backup link through a different ISPs, I have routed th traffic for vpn server through backup link, as we have firewall on that link as well, which is much simpler than the previous one. I am pasting the configuration of this firewall, may be this will help to connect vpn clients over backup link rather than playing with the configurations on primary firewall:-

sh run
: Saved
:
ASA Version 7.0(6)
!
hostname RUH-HO-FW-F04C202
domain-name sama.com
enable password *********** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description Connected To RUH-HO-CS-F04C102 Port Gig1/1
 speed 100
 duplex full
 nameif LAN
 security-level 100
 ip address *.*.*.* 255.255.255.252
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif WAN
 security-level 0
 ip address *.*.*.* 255.255.255.240
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd ******** encrypted
ftp mode passive
access-list ACL-NONAT extended permit ip *.*.*.* 255.255.0.0 *.*.*.* 255.255.0.0
access-list ACL-NONAT extended permit ip *.*.*.* 255.255.0.0 *.*.*.* 255.255.0.0
access-list ACL-NONAT extended permit ip *.*.*.* 255.255.0.0 *.*.*.* 255.255.0.0
access-list ACL-NONAT extended permit ip *.*.*.* 255.255.0.0 *.*.*.* 255.255.0.0
access-list ACL-WAN extended permit ip *.*.*.* 255.255.0.0 *.*.*.* 255.255.0.0
access-list ACL-WAN extended permit ip *.*.*.* 255.255.0.0 *.*.*.* 255.255.0.0
access-list ACL-WAN extended permit ip *.*.*.* 255.255.224.0 any
access-list ACL-WAN extended permit ip *.*.*.* 255.255.255.0 *.*.*.* 255.255.0.0
access-list WAN_cryptomap_20 extended permit ip *.*.*.* 255.255.0.0 *.*.*.* 255.255.255.0
access-list WAN_cryptomap_20 extended permit ip *.*.*.* 255.255.0.0 *.*.*.* 255.255.255.0
access-list ACL-INT1 extended deny ip *.*.*.* 255.255.0.0 *.*.*.* 255.255.0.0
access-list samapvt_splitTunnelAcl standard permit *.*.*.* 255.255.0.0
pager lines 24
logging asdm informational
mtu LAN 1500
mtu WAN 1500
mtu management 1500
ip local pool vpnpool 192.168.110.1-192.168.110.254
ip local pool vpnfwama *.*.*.*-10.220.250.254 mask 255.255.255.0
no failover
icmp permit any LAN
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 *.*.*.*
nat (LAN) 0 access-list ACL-NONAT
nat (LAN) 1 *.*.*.* 255.255.0.0
access-group ACL-WAN in interface WAN
route WAN *.*.*.* 255.255.255.255 *.*.*.* 1
route WAN 0.0.0.0 0.0.0.0 *.*.*.* 1
route WAN *.*.*.* 255.255.0.0 *.*.*.* 1
route WAN *.*.*.* 255.255.0.0 *.*.*.* 1
!
router ospf 1
 network *.*.*.* 255.255.255.252 area 0
 log-adj-changes
 summary-address *.*.*.* 255.255.0.0
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy wamapvt internal
group-policy wamapvt attributes
 dns-server value 10.1.17.1 10.1.17.13
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value wamapvt_splitTunnelAcl
 default-domain value stc.com
 webvpn
group-policy fwama internal
username ****** password ********* encrypted
vpn-group-policy fwama
 webvpn
http server enable
http *.*.*.* 255.255.0.0 LAN
http *.*.*.* 255.255.224.0 WAN
http *.*.*.* 255.255.255.0 management
! The following host entries are incomplete; they await a community string.
snmp-server host WAN *.*.*.*
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map WAN_dyn_map 20 set nat-t-disable
crypto map fedmap 20 match address WAN_cryptomap_20
crypto map fedmap 20 set peer 207.219.72.155
crypto map fedmap 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map fedmap interface WAN
isakmp identity address
isakmp enable WAN
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group fwama type ipsec-ra
tunnel-group fwama general-attributes
 address-pool vpnfwama
 default-group-policy fwama
tunnel-group fwama ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
telnet *.*.*.* 255.255.255.0 LAN
telnet timeout 5
ssh *.*.*.* 255.255.224.0 WAN
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
Cryptochecksum:14dbb082af041c5f36a78bad9fa4752a
: end

 RUH-HO-FW-F04C202#
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You still need the inspect

policy-map global_policy
 class inspection_default
  inspect pptp
  inspect icmp
0
 

Author Comment

by:pkabbas
Comment Utility
Did change the policy, but not worked. Do i need to do NAT/PAT etc.
0
 

Author Comment

by:pkabbas
Comment Utility
Hi experts,
waiting for replies/solution,, thanks
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Do you have a router or anything else out in front of your ASA that could be blocking GRE? You have masked out all the ip addresses so that I can't really analyze the config for routing issues or anything else.
I might suggest adding an entry to your wan acl to allow gre

access-list ACL-WAN permit gre any any
 
0
 

Author Comment

by:pkabbas
Comment Utility
Yeh there is router in front of ASA but when i bypass ASA by conencting a PC int he middle of router and ASA and assiging it a public IP then it works which means it is allowed on the router. I tried adding the permit gre any any but same response. Do i need to re-apply ACL-WAN. I am sending the configuration again with less masking:-
: Saved
:
ASA Version 7.0(6)
!
hostname RUH-HO-FW-F04C202
domain-name sama.com
enable password ******** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description Connected To RUH-HO-CS-F04C102 Port Gig1/1
 speed 100
 duplex full
 nameif LAN
 security-level 100
 ip address 10.1.9.6 255.255.255.252
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif WAN
 security-level 0
 ip address 212.*.*.* 255.255.255.240
!              
 interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd ********* encrypted
ftp mode passive
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 10.200.0.0 255.255.0.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 10.220.0.0 255.255.0.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list ACL-NONAT extended permit ip 10.2.0.0 255.255.0.0 10.200.0.0 255.255.0.0
access-list ACL-NONAT extended permit ip 10.2.0.0 255.255.0.0 10.220.0.0 255.255.0.0
access-list ACL-NONAT extended permit ip 10.2.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 192.168.110.0 255.255.255.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 172.16.20.0 255.255.255.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 172.16.21.0 255.255.255.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 10.220.250.0 255.255.255.0
access-list ACL-WAN extended permit ip 10.220.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list ACL-WAN extended permit ip 10.220.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list ACL-WAN extended permit ip 212.*.*.0 255.255.224.0 any
access-list ACL-WAN extended permit ip 192.168.110.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list WAN_cryptomap_20 extended permit ip 10.1.0.0 255.255.0.0 172.16.20.0 255.255.255.0
access-list WAN_cryptomap_20 extended permit ip 10.1.0.0 255.255.0.0 172.16.21.0 255.255.255.0
access-list ACL-INT1 extended deny ip 10.1.0.0 255.255.0.0 10.220.0.0 255.255.0.0
access-list samapvt_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu LAN 1500
mtu WAN 1500
mtu management 1500
ip local pool vpnpool 192.168.110.1-192.168.110.254
ip local pool vpnflysama 10.220.250.1-10.220.250.254 mask 255.255.255.0
no failover
icmp permit any LAN
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 212.*.*.*
nat (LAN) 0 access-list ACL-NONAT
nat (LAN) 1 10.1.0.0 255.255.0.0
access-group ACL-WAN in interface WAN
route WAN 212.*.*.* 255.255.255.255 212.*.*.* 1 - Route to Router IP
route WAN 212.*.*.* 255.255.255.255 212.*.*.* 1 - Rourt to Router IP
route WAN 212.*.*.* 255.255.255.255 212.*.*.* 1 - Rourt to Router IP
route WAN 0.0.0.0 0.0.0.0 212.*.*.* 1 - Rourt to Router IP
route WAN 10.220.0.0 255.255.0.0 212.*.*.* 1 - Rourt to Router IP
route WAN 172.16.0.0 255.255.0.0 212.*.*.* 1 - Rourt to Router IP
route WAN 10.200.0.0 255.255.0.0 212.*.*.* 1 - Rourt to Router IP
!
router ospf 1
 network 10.1.9.4 255.255.255.252 area 0
 log-adj-changes
 summary-address 10.1.0.0 255.255.0.0
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy samapvt internal
group-policy samapvt attributes
 dns-server value 10.1.17.1 10.1.17.13
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value samapvt_splitTunnelAcl
 default-domain value flysama.com
 webvpn
group-policy flysama internal
username ******* password ****** encrypted
 vpn-group-policy flysama
 webvpn
http server enable
http 10.1.0.0 255.255.0.0 LAN
http 212.*.*.* 255.255.224.0 WAN
http 192.168.1.0 255.255.255.0 management
! The following host entries are incomplete; they await a community string.
snmp-server host WAN 212.*.*.*
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map WAN_dyn_map 20 set nat-t-disable
crypto map fedmap 20 match address WAN_cryptomap_20
crypto map fedmap 20 set peer *.*.*.*
crypto map fedmap 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map fedmap interface WAN
isakmp identity address
isakmp enable WAN
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group flysama type ipsec-ra
tunnel-group flysama general-attributes
 address-pool vpnflysama
 default-group-policy flysama
tunnel-group flysama ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
telnet 10.1.71.0 255.255.255.0 LAN
telnet 10.1.74.0 255.255.255.0 LAN
telnet 10.1.72.0 255.255.255.0 LAN
telnet 10.1.75.0 255.255.255.0 LAN
telnet 10.1.0.0 255.255.0.0 LAN
telnet timeout 5
ssh 212.*.*.* 255.255.224.0 WAN
ssh 212.*.*.* 255.255.248.0 WAN
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
Cryptochecksum:*.*.*.*
: end

Thanks
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I don't see the policy in the config

class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect icmp

Since you don't have static nats, you might want to try disabling proxy arp

sysopt noproxyarp inside
sysopt noproxyarp outside

>ip address 10.1.9.6 255.255.255.252
How are you routing the rest of the internal 10.1.0.0 network? I don't see any route statements routing anything else on the LAN?
If your LAN is 10.1.0.0 with /16 mask, then change the mask on this interface and make sure this interface IP is the default gateway for the PC trying to use the PPTP client.
0
 

Author Comment

by:pkabbas
Comment Utility
I did above but still no affect. Default gateway on our clients is core switch. we are using different vlan 10.1.*.*. After adding above below is the config:-
: Saved
:
ASA Version 7.0(6)
!
hostname RUH-HO-FW-F04C202
domain-name sama.com
enable password ******* encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description Connected To RUH-HO-CS-F04C102 Port Gig1/1
 speed 100
 duplex full
 nameif LAN
 security-level 100
 ip address 10.1.9.6 255.255.255.252
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif WAN
 security-level 0
 ip address 212.*.*.* 255.255.255.240
!
 interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd ****** encrypted
ftp mode passive
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 10.200.0.0 255.255.0.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 10.220.0.0 255.255.0.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list ACL-NONAT extended permit ip 10.2.0.0 255.255.0.0 10.200.0.0 255.255.0.0
 access-list ACL-NONAT extended permit ip 10.2.0.0 255.255.0.0 10.220.0.0 255.255.0.0
access-list ACL-NONAT extended permit ip 10.2.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 192.168.110.0 255.255.255.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 172.16.20.0 255.255.255.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 172.16.21.0 255.255.255.0
access-list ACL-NONAT extended permit ip 10.1.0.0 255.255.0.0 10.220.250.0 255.255.255.0
access-list ACL-NONAT extended permit ip 10.0.0.0 255.0.0.0 10.220.250.0 255.255.255.0
access-list ACL-NONAT extended permit ip 10.0.0.0 255.0.0.0 192.168.110.0 255.255.255.0
access-list ACL-WAN extended permit ip 10.220.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list ACL-WAN extended permit ip 10.220.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list ACL-WAN extended permit ip 212.*.*.* 255.255.224.0 any
access-list ACL-WAN extended permit ip 192.168.110.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list WAN_cryptomap_20 extended permit ip 10.1.0.0 255.255.0.0 172.16.20.0 255.255.255.0
access-list WAN_cryptomap_20 extended permit ip 10.1.0.0 255.255.0.0 172.16.21.0 255.255.255.0
access-list ACL-INT1 extended deny ip 10.1.0.0 255.255.0.0 10.220.0.0 255.255.0.0
access-list samapvt_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0
access-list LAN_nat0_inbound extended permit ip 10.0.0.0 255.0.0.0 192.168.110.0 255.255.255.0
access-list test extended permit ip any any
pager lines 24
logging asdm informational
mtu LAN 1500
mtu WAN 1510
mtu management 1500
ip local pool vpnpool 192.168.110.1-192.168.110.254
 ip local pool vpnflysama 10.220.250.1-10.220.250.254 mask 255.255.255.0
no failover
icmp permit any LAN
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 212.*.*.*
nat (LAN) 0 access-list ACL-NONAT
nat (LAN) 1 10.1.0.0 255.255.0.0
access-group ACL-WAN in interface WAN
route WAN 10.200.0.0 255.255.0.0 212.*.*.* 1
route WAN 172.16.0.0 255.255.0.0 212.*.*.* 1
route WAN 10.220.0.0 255.255.0.0 212.*.*.* 1
route WAN 0.0.0.0 0.0.0.0 212.*.*.* 1
route WAN 212.*.*.* 255.255.255.255 212.*.*.* 1
route WAN 212.*.*.* 255.255.255.255 212.*.*.* 1
route WAN 212.*.*.* 255.255.255.255 212.*.*.* 1
!
router ospf 1
 network 10.1.9.4 255.255.255.252 area 0
 log-adj-changes
 summary-address 10.1.0.0 255.255.0.0
!
timeout xlate 3:00:00
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy samapvt internal
group-policy samapvt attributes
 dns-server value 10.1.17.1 10.1.17.13
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value samapvt_splitTunnelAcl
 default-domain value flysama.com
 webvpn
group-policy flysama internal
username *****password ******** encrypted
username ****** attributes
 vpn-group-policy mnaji
 webvpn
username **** password ******** encrypted
username ***** password ************ encrypted privilege 0
username ***** attributes
 vpn-group-policy flysama
 webvpn
http server enable
http 10.1.0.0 255.255.0.0 LAN
http 212.*.*.* 255.255.224.0 WAN
 http 192.168.1.0 255.255.255.0 management
! The following host entries are incomplete; they await a community string.
snmp-server host WAN 212.*.*.*
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp LAN
sysopt noproxyarp WAN
crypto ipsec transform-set ESP-3DES-md5 esp-3des esp-md5-hmac
crypto map fedmap 20 match address WAN_cryptomap_20
crypto map fedmap 20 set peer 207.219.72.155
crypto map fedmap interface WAN
crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map
crypto map management_map interface management
isakmp identity address
isakmp enable WAN
isakmp enable management
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 40 retry 5
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 40 retry 5
tunnel-group flysama type ipsec-ra
tunnel-group flysama general-attributes
 address-pool vpnflysama
 default-group-policy flysama
tunnel-group flysama ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 40 retry 5
tunnel-group mnaji type ipsec-ra
tunnel-group mnaji general-attributes
 address-pool vpnpool
tunnel-group mnaji ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 40 retry 5
telnet 10.1.71.0 255.255.255.0 LAN
telnet 10.1.74.0 255.255.255.0 LAN
telnet 10.1.72.0 255.255.255.0 LAN
telnet 10.1.75.0 255.255.255.0 LAN
telnet 10.1.0.0 255.255.0.0 LAN
telnet timeout 5
ssh 212.*.*.* 255.255.224.0 WAN
ssh 212.*.*.* 255.255.248.0 WAN
 ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
!
!
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect icmp
 class class-default
  inspect pptp
!
ssl encryption des-sha1 rc4-md5
Cryptochecksum:*****************************
: end
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You still have a routing issue if you don't have any route LAN statements
0
 

Author Comment

by:pkabbas
Comment Utility
what should be there regarding thr route LAN statement? what exactly shou i mention?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
Never mind. I see the router OSPF statements, so the PIX should be learning the proper internal routes from the core switch.

As a last resort, you might try creating a static nat for the PPTP client to use a dedicated public IP, something like this:
 static (inside,outside) 212.x.x.y 10.x.x.y netmask 255.255.255.255
where 212.x.x.y = IP address not the same as the outside interface but within the same subnet
where 10.x.x.y = IP address of the client PC trying to connect

If you have two different firewalls and a rather complex internal network, you may not be routing that specific traffic out the firewall that you intend. Without a detailed review of the entire network infrastructure and routing topology, I'm afraid the solution to this may be outside the possibility of a forum like this. The simple pptp inspect commands "should" be all you needed. You may have to call Cisco TAC and get their engineers to assist. It may be a bug in your particular 7.0(6) version of code and you may need to update to at least 7.0(7) or better



0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>class-map inspection_default
    match default-inspection-traffic  <<== I don't see this line in your latest config

0
 

Author Comment

by:pkabbas
Comment Utility
Well,
thanks Irmoore for your help. After adding thr nat statement, it dd not even reach the vpn server. As far as routing is concerned, traffic is going through this firewall. Well, I may need some one to get in and look into the issue. Just to give you some more information that why it is required. Below are the requirements. If you are behind firewall, you may try to establish a vpn connection to  12.17.202.16. If it gives username/password incorrect means you are able to communicate, else not.

Configuring a Firewall for Access via the Internet/VPN
-----------------------------------------------------------------
NOTE:  This configuration should only be used when access to the reservation system is via a dial-up or dedicated Internet connection.  If you are accessing the reservation system via a circuit provided by Galileo, refer to page 5 – Configuring a Firewall for Dedicated TCP/IP Circuit.  Follow the instructions based on the client you are using (PPTP).
PROTOCOLS:
      TCP/IP (Protocols 6 & 4)
      UDP (Protocol 17)
      PPTP: GRE (Protocol 47 mapped to port 1723) – Microsoft PPTP VPN ONLY

PORTS:  (PAT-Port Address Translation is NOT permitted)
------------------------------------------------------------------------
PPTP Switch:               1723 / TCP Traffic / Outbound Only  (Microsoft PPTP VPN ONLY.)
Config Servers:            5067 / UDP Traffic / Outbound Only
                                      5068 / UDP Traffic / Inbound Only
                                      5069 / TCP Traffic / Inbound Only (FPM Requirement)
IP Concentrators:         2748 / TCP Traffic / Outbound Only (Apollo® system only)
                                     2749 / TCP Traffic / Outbound Only (Galileo® system only)
                                      2750 / TCP Traffic / Outbound Only (VTF-IP Concentrators)
DNS SUPPORT:  (Must be able to PING from the client workstation:)
Microsoft PPTP VPN Client:     PING vpn.galileo.com
IP FILTERING:  (Must be able to ping after VPN established)
Specific IP Addresses: These addresses are subject to change without notice!
Device                                     Galileo® System           Apollo® System
PPTP VPN Switch                    vpn.galileo.com              vpn.galileo.com
                                                  12.17.202.16                 12.17.202.16
Config Servers                      vpnipcs.galileo.com        vpnipcs.galileo.com
                                                  172.20.200.2                 172.20.200.2
IP Concentrators                     vpnipc.galileo.com          vpnipc.galileo.com
                                                    172.20.200.1                 172.20.200.1
0
 

Author Comment

by:pkabbas
Comment Utility
wow,, its working from one machine after adding some ACL and STATIC NAT. Now I can not do static NAT for all machine shwich needs to access, so whats alternate.

thanks
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
> after adding some ACL
Did you allow GRE and TCP/1723?
0
 

Author Comment

by:pkabbas
Comment Utility
Well, I added two lines as below:-
access-list ACL-WAN extended permit ip host 12.17.*.* any (where 12.17.*.* is the VPN server address)
static (LAN,WAN)212.*.*.* 10.1.77.1

Also, the inspection_policy lines are there as well.
and it worked.
0
 

Author Comment

by:pkabbas
Comment Utility
Hi,
how can i close this question?
regards,
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I think that my contributions are worthy of acceptance and award of points in at least getting the asker in the right direction.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
20342755
11.24.2007 at 08:37AM CST
0
 
LVL 1

Expert Comment

by:Vee_Mod
Comment Utility
Force accepted.
Vee_Mod
Community Support Moderator
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now