We help IT Professionals succeed at work.

MS VPN through Cisco

ultreya
ultreya asked
on
517 Views
Last Modified: 2012-05-08
I need to set up a Microsoft VPN for various outside users through the Cisco ASA 5505 security appliance. I currently apply the Cisco VPN, and I CAN NOT lose that VPN. I have looked over the instructions posted on another similar question, however those instructions show a static client address. I will not have any connections from a static client address.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

This VPN must connect to the DMZ until testing of other services are complete. then everything will be transferred to the "inside"

Plus I need a how to on RRAS for 2008R2. I have looked at MS version, but I would like to see more???

ciscoasa(config)# show run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name company 
enable password 7HxhWig/gvuWV3u5 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.128
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name company 
dns server-group DNS-SVR
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network BANNED_HOSTS
 network-object 59.0.0.0 255.0.0.0
 network-object 61.0.0.0 255.0.0.0
 network-object 62.0.0.0 255.0.0.0
 
access-list dmz_access_in extended permit ip any any
access-list inbound extended deny ip object-group BANNED_HOSTS any
access-list inbound extended permit tcp any host 1.2.3.4 eq www
access-list inbound extended permit tcp any host 1.2.3.4 eq ftp
access-list inbound extended permit tcp any host 1.2.3.4 eq https
access-list inbound extended permit tcp any host 1.2.3.5 eq smtp
access-list inbound extended permit tcp any host 1.2.3.5 eq pop3
access-list inbound extended permit tcp any host 1.2.3.5 eq imap4
access-list inbound extended permit tcp any host 1.2.3.5 eq www
access-list inbound extended permit tcp any host 1.2.3.5 eq https
access-list inbound extended permit tcp any host 1.2.3.5 eq 995
access-list inbound extended permit tcp any host 1.2.3.6 eq www
access-list inbound extended permit tcp any host 1.2.3.6 eq ftp
access-list inbound extended permit tcp any host 1.2.3.6 eq smtp
access-list inbound extended permit tcp any host 1.2.3.6 eq pop3
access-list inbound extended permit tcp any host 1.2.3.6 eq imap4
access-list inbound extended permit tcp any host 1.2.3.7 eq www
access-list inbound extended permit tcp any host 1.2.3.10 eq 3389
access-list inbound extended permit tcp any host 1.2.3.10 eq www
access-list inbound extended permit tcp any host 1.2.3.10 eq https
access-list inbound extended permit tcp any host 1.2.3.10 eq ftp
access-list inbound extended permit tcp any host 1.2.3.11 eq smtp
access-list inbound extended permit tcp any host 1.2.3.11eq pop3
access-list inbound extended permit tcp any host 1.2.3.11 eq imap4
access-list inbound extended permit tcp any host 1.2.3.10 eq pptp
access-list inbound extended permit udp any host 1.2.3.10 eq isakmp
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list split101 extended permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list split101 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_access_out extended permit ip any any
access-list outbound extended permit gre host 192.168.1.59 host 192.168.1.59
access-list outbound extended permit tcp host 192.168.1.59 host 192.168.1.59 eq pptp
pager lines 24
logging enable
logging asdm informational
logging mail warnings
logging from-address admin@company 
logging recipient-address me@company level warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 10.1.1.1-10.1.1.25 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 1.2.3.2 netmask 255.255.255.255
global (outside) 3 1.2.3.3 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.2.38 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.2.3 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.2.3 ftp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.2.3 https netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 www 192.168.2.38 www netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.5 https 192.168.2.38 https netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.5 pop3 192.168.2.38 pop3 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.5 smtp 192.168.2.38 smtp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.5 imap4 192.168.2.38 imap4 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.5 995 192.168.2.38 995 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.6 ftp 192.168.2.15 ftp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.6 smtp 192.168.2.15 smtp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.6 pop3 192.168.2.15 pop3 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.6 imap4 192.168.2.15 imap4 netmask 255.255.255.255
static (dmz,outside) tcp 1.2.3.10 3389 192.168.1.60 3389 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.6 www 192.168.2.15 www netmask 255.255.255.255
static (dmz,outside) tcp 1.2.3.10 www 192.168.1.70 www netmask 255.255.255.255
static (dmz,outside) tcp 1.2.3.10 https 192.168.1.70 https netmask 255.255.255.255
static (dmz,outside) tcp 1.2.3.10 ftp 192.168.1.70 ftp netmask 255.255.255.255
static (dmz,outside) tcp 1.2.3.11 smtp 192.168.1.71 smtp netmask 255.255.255.255
static (dmz,outside) tcp 1.2.3.11 pop3 192.168.1.71 pop3 netmask 255.255.255.255
static (dmz,outside) tcp 1.2.3.11 imap4 192.168.1.71 imap4 netmask 255.255.255.255
static (dmz,outside) tcp 1.2.3.10 pptp 192.168.1.59 pptp netmask 255.255.255.255
static (dmz,outside) udp 1.2.3.10 isakmp 192.168.1.59 isakmp netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.2.0 netmask 255.255.255.0
 
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy company internal
group-policy company attributes
 wins-server value 192.168.2.30
 dns-server value 192.168.2.30 192.168.2.50
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value company 
 vpn-group-policy company 
username cisco password 5sSb..e9ZNWMmk2e encrypted privilege 15
 vpn-group-policy company 
 group-lock value company 
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group company type ipsec-ra
tunnel-group company general-attributes
 address-pool vpnpool
 default-group-policy company 
tunnel-group company ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
 
!
class-map inspection
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map esmtp
 class inspection_default
!
service-policy global_policy global
smtps
 server 192.168.2.38
 default-group-policy DfltGrpPolicy
prompt hostname context
Cryptochecksum:19389b73a66c75675b5445c07dcd0a74
: end
ciscoasa(config)#

Open in new window

Comment
Watch Question

Jody LemoineNetwork Architect
CERTIFIED EXPERT

Commented:
I'm assuming that you're meaning PPTP when you refer to "Microsoft VPN" in this case.  If that's true, then you're going to need to add one more line to your "inbound" access list to support the actual VPN payload:

access-list inbound extended permit gre any host 1.2.3.10

Other than that, it looks like you have everything you need to accept PPTP connections on 1.2.3.10 and pass them inbound to the server at 192.168.1.59.

I can help with the PIX/ASA portion of your question, but I've never seen Windows Server 2008 before and so can't be much help with the RRAS portion of the question.  I recommend you add the question to one of the Windows Server zones in order to attract the attention of experts with this sort of experience.

Author

Commented:
Just so that I understand ... because this is not working.
access-list outbound extended permit gre host 192.168.1.59 host 192.168.1.59
access-list inbound extended permit tcp any host 1.2.3.10 eq pptp
static (dmz,outside) tcp 1.2.3.10 pptp 192.168.1.59 pptp netmask 255.255.255.255

Then I need...

access-list inbound extended permit gre any host 1.2.3.10 host 1.2.3.10

Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
and need to inspect pptp:

 class inspection_default
  inspect pprp
Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
sorry  this need:

policy-map global_policy
 class inspection_default
  inspect pptp
Jody LemoineNetwork Architect
CERTIFIED EXPERT

Commented:
This your "access-list outbound" statements don't matter because you don't have that access list applied to any interfaces and because traffic from higher-security interfaces to lower-security interfaces is implicitly permitted anyway.  The "access-list inbound extended permit gre any host 1.2.3.10 host 1.2.3.10" should be "access-list inbound extended permit gre any host 1.2.3.10" because you're permitting inbound traffic from IP addresses that aren't known in advance.

Author

Commented:
So for clarification ...
access-list inbound extended permit tcp any host 1.2.3.10 eq pptp
access-list inbound extended permit gre any host 1.2.3.10 host 1.2.3.10
static (dmz,outside) tcp 1.2.3.10 pptp 192.168.1.59 pptp netmask 255.255.255.255

Author

Commented:
access-list inbound line 25 extended permit gre any host 1.2.3.10(hitcnt=0)0x8cb6e2e6

After several attempts of connecting, shouldn't there be at least 1 attempt?
Jody LemoineNetwork Architect
CERTIFIED EXPERT

Commented:
Not:

access-list inbound extended permit gre any host 1.2.3.10 host 1.2.3.10

But:

access-list inbound extended permit gre any host 1.2.3.10

Otherwise, looks good.
Jody LemoineNetwork Architect
CERTIFIED EXPERT

Commented:
It depends.  The VPN is negotiated through the control channel (1723/tcp) before any payload is established.  If you're not getting past the point where you're doing user authentication, the GRE portion will never start.  If you telnet to 1.2.3.10 on port 1723 from the outside, does it connect, refuse connection or just hang there forever?  Does line 23 of the access list (the 1723/tcp connection) register any permits or denies?

Author

Commented:
I Am such a "____"

When I looked for the requested information "Does line 23 of the access list (the 1723/tcp connection) register any permits or denies?"

I made a discovery of no existing access-list for pptp. I know it was there earlier because it shows up in the running config that I posted.

Somehow it disappeared/deleted. I blame myself...
I put in the access-list inbound extended permit tcp any host 1.2.3.10 eq pptp
and what happens ..?
Immediate connection .

Thank you for your help.       To verify my config ...
access-list inbound extended permit tcp any host 76.0.48.150 eq pptp
access-list inbound extended permit gre any host 1.2.3.10
static (dmz,outside) tcp 1.2.3.10 pptp 192.168.1.59 pptp netmask 255.255.255.255




Network Architect
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks for a great job...
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.