cant vpn out externally because of ASA ?

Hi there,
We have a network on whose edge there are 2 PIX firewalls (515-E) with 2 separate Internet links (same ISP). The way our ISP has set up is that any outgoing traffic from our private network goes out to the internet via PIX1 whereas any traffic coming into our network from the Internet comes in via PIX2. Now, everybody can browse or do usual internet activity stuff, no problem.

However Ive noticed that if i want to VPN out externally to some other company ABC, it doesnt connect. Tried few other VPN connections and it was the same result, couldnt connect.

Now, am not sure if am correct here, But I think the VPN return traffic is causing the issue here since the originaly request was sent out via PIX 1 and it might be coming back in via PIX 2. I thought that the return traffic for any traffic originating from within the network should come back via the same path, no ? But in this case of trying to connect to an external VPN, I think what might be happening is that VPN connect request is sent out via Firewal-1 and in response, that VPN device originates some traffic and send to our network (which is configured to recieve all incoming traffic via PIX2 link). Now, the basic firewall principle that any traffic must enter/exit the same interface, else it will cause issues. Is that whats happening ? How can I fix this situation ? Does a certain protocol/port needs to be inspected in the default config of PIX to allow a successfuly VPN connection. VPN type is a normal Microsoft VPN connection which I think is PPTP based.

I would prefer not to change the routes as its doing load-balancing between the 2 PIX's. firewalls are in multiple contextss active/active failover mode.

Your help will be really appreciated !
PIX 1 Sanitized Config: 

 firewall1/failovergroup1# sh running-config
: Saved
PIX Version 8.0(2) <context>
hostname failovergroup1
enable password xxx
interface Ethernet0
 nameif outside_failovergroup1
 security-level 0
 ip address x.x.x.x standby x.x.x.x
interface inside_failovergroup1
 nameif inside
 security-level 100
 ip address standby
dns domain-lookup outside_failovergroup1
dns domain-lookup inside
dns domain-lookup inside_redundant
dns server-group DefaultDNS
 name-server x.x.x.x
 name-server x.x.x.x
same-security-traffic permit intra-interface
access-list 1 extended permit "The ACL is for outside interface. Permits some hosts, denies rest"
access-list 1 extended deny ip any any
pager lines 24
mtu outside_failovergroup1 1500
mtu inside 1500
mtu inside_redundant 1500
monitor-interface inside
monitor-interface inside_redundant
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside_failovergroup1) 1 interface
nat (inside) 1
nat (inside_redundant) 1
static (inside,outside_failovergroup1) udp x.x.x.x snmp snmp netmask
static (inside,outside_failovergroup1) udp x.x.x.x snmptrap snmptrap netmask
static (inside,outside_failovergroup1) tcp x.x.x.x 1022 ssh netmask
static (inside,outside_failovergroup1) tcp x.x.x.x https https netmask
static (inside,outside_failovergroup1) tcp x.x.x.x 3306 3306 netmask
static (inside,outside_failovergroup1) udp x.x.x.x 4569 4569 netmask
static (inside,outside_failovergroup1) tcp x.x.x.x 993 993 netmask
static (inside,outside_failovergroup1) tcp x.x.x.x 1443 https netmask
static (inside,outside_failovergroup1) udp x.x.x.x 4570 4570 netmask
static (inside,outside_failovergroup1) tcp x.x.x.x 10630 https netmask
static (inside,outside_failovergroup1) tcp x.x.x.x ldap ldap netmask
access-group 1 in interface outside_failovergroup1
route outside_failovergroup1 x.x.x.x 1
route inside 1
route inside 1
route inside 1
route inside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
snmp-server host inside community xxx
snmp-server host inside_redundant community xxx
no snmp-server location
no snmp-server contact
snmp-server community xxx
snmp-server enable traps syslog
no crypto isakmp nat-traversal
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
: end

Open in new window

Who is Participating?
nabeel92Author Commented:
Done, just had to inspect pptp in default pix policy. that's it ! That way, it allows the return gre traffic initiated by the vpn server sitting outside the network !
nabeel92Author Commented:
My current google search is telling me to use 'fixup protocol ppptp' ? is that the case !
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.