Solved

configure cisco ASA to allow PPTP to ISA

Posted on 2008-10-21
3
1,686 Views
Last Modified: 2012-05-05
iam trying to configure my ASA in order to allow vpn connection to ISA which locate in ASA inside interface using PPTP protocol

but after i configured the ASA it doesn't work and i couldn't connect to ISA using vpn connection

could any one check my ASA configuration and help

Result of the command: "sh run"

: Saved
:
ASA Version 7.0(7)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ijjo0KuMfVbkEAKw encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 196.205.87.68 255.255.255.192
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 50.0.0.2 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_access_in extended permit gre any host 196.205.87.69
access-list outside_access_in extended permit tcp any host 196.205.87.69 eq

pptp
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 50.0.0.0 255.255.255.0
static (inside,outside) tcp 196.205.87.69 pptp 50.0.0.1 pptp netmask

255.255.255.255
static (inside,outside) udp 196.205.87.69 47 50.0.0.1 47 netmask

255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 196.205.87.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 50.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 50.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:56d8c1b40582c3f8b68c4bb52a5a0fce
: end
0
Comment
Question by:A_M_R
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
leonjs earned 500 total points
Comment Utility
If i understand you correctly . . . .
Iwant to inform you that if are doing dynamic NAT for the client behind the ASA i.e nat/global, then only one client can make PPTP connection through the ASA at one time. For this, we need to enable "inspect pptp". If you want multiple clients to be able to make PPTP connections through the ASA, then we will need as many static commands as the number of clients behind the ASA. Then, after creating the static commands, open TCP port 1723 and GRE on the inside and outside interface access-list.

Check out this link
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Might be easier to setup RA on the ASA its self and then access the clients on the inside network
0
 

Author Comment

by:A_M_R
Comment Utility
sorry iam confusing now and also the link that you attached to me iam already read it and tried but still i have some problem , so could you answer me for these questions
 1- iam trying to do a vpn connection through internet to ISA server  behind the ASA , iam trying to inspect the PPTP but it doesn't work as iam try to open a vpn connection with the ISA public ip address which is the ip of outside interface of ASA isit correct???
2- from the link that you sent me if iam trying to add a static nat
static (inside,outside)  196.205.87.69  50.0.0.1 netmask 255.255.255.255 while there is also a dynamic isit possible or not???
 
0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
To inspect PPTP do this

fw# config t
fw(config)# policy-map global_policy
fw(config-pmap)# class inspection_default
fw(config-pmap-c)# inspect pptp

Remember this though since your doing pat with the isa server

"You can only have one PPTP/L2TP connection through the ASA Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the ASA Security Appliance only maps port 0 to one host. "

You might find it easier just to setup remote access on the ASA
0

Featured Post

NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now