cant vpn out externally because of ASA ?

Posted on 2009-12-17
Last Modified: 2012-05-08
Hi there,
We have a network on whose edge there are 2 PIX firewalls (515-E) with 2 separate Internet links (same ISP). The way our ISP has set up is that any outgoing traffic from our private network goes out to the internet via PIX1 whereas any traffic coming into our network from the Internet comes in via PIX2. Now, everybody can browse or do usual internet activity stuff, no problem.

However Ive noticed that if i want to VPN out externally to some other company ABC, it doesnt connect. Tried few other VPN connections and it was the same result, couldnt connect.

Now, am not sure if am correct here, But I think the VPN return traffic is causing the issue here since the originaly request was sent out via PIX 1 and it might be coming back in via PIX 2. I thought that the return traffic for any traffic originating from within the network should come back via the same path, no ? But in this case of trying to connect to an external VPN, I think what might be happening is that VPN connect request is sent out via Firewal-1 and in response, that VPN device originates some traffic and send to our network (which is configured to recieve all incoming traffic via PIX2 link). Now, the basic firewall principle that any traffic must enter/exit the same interface, else it will cause issues. Is that whats happening ? How can I fix this situation ? Does a certain protocol/port needs to be inspected in the default config of PIX to allow a successfuly VPN connection. VPN type is a normal Microsoft VPN connection which I think is PPTP based.

I would prefer not to change the routes as its doing load-balancing between the 2 PIX's. firewalls are in multiple contextss active/active failover mode.

Your help will be really appreciated !
PIX 1 Sanitized Config: 

 firewall1/failovergroup1# sh running-config

: Saved


PIX Version 8.0(2) <context>


hostname failovergroup1

enable password xxx



interface Ethernet0

 nameif outside_failovergroup1

 security-level 0

 ip address x.x.x.x standby x.x.x.x


interface inside_failovergroup1

 nameif inside

 security-level 100

 ip address standby


dns domain-lookup outside_failovergroup1

dns domain-lookup inside

dns domain-lookup inside_redundant

dns server-group DefaultDNS

 name-server x.x.x.x

 name-server x.x.x.x

same-security-traffic permit intra-interface

access-list 1 extended permit "The ACL is for outside interface. Permits some hosts, denies rest"

access-list 1 extended deny ip any any

pager lines 24

mtu outside_failovergroup1 1500

mtu inside 1500

mtu inside_redundant 1500

monitor-interface inside

monitor-interface inside_redundant

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside_failovergroup1) 1 interface

nat (inside) 1

nat (inside_redundant) 1

static (inside,outside_failovergroup1) udp x.x.x.x snmp snmp netmask

static (inside,outside_failovergroup1) udp x.x.x.x snmptrap snmptrap netmask

static (inside,outside_failovergroup1) tcp x.x.x.x 1022 ssh netmask

static (inside,outside_failovergroup1) tcp x.x.x.x https https netmask

static (inside,outside_failovergroup1) tcp x.x.x.x 3306 3306 netmask

static (inside,outside_failovergroup1) udp x.x.x.x 4569 4569 netmask

static (inside,outside_failovergroup1) tcp x.x.x.x 993 993 netmask

static (inside,outside_failovergroup1) tcp x.x.x.x 1443 https netmask

static (inside,outside_failovergroup1) udp x.x.x.x 4570 4570 netmask

static (inside,outside_failovergroup1) tcp x.x.x.x 10630 https netmask

static (inside,outside_failovergroup1) tcp x.x.x.x ldap ldap netmask

access-group 1 in interface outside_failovergroup1

route outside_failovergroup1 x.x.x.x 1

route inside 1

route inside 1

route inside 1

route inside 1

route inside 1

route inside 1


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication telnet console LOCAL

snmp-server host inside community xxx

snmp-server host inside_redundant community xxx

no snmp-server location

no snmp-server contact

snmp-server community xxx

snmp-server enable traps syslog

no crypto isakmp nat-traversal

telnet inside

telnet inside

telnet timeout 5

ssh timeout 5


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp


service-policy global_policy global


: end

Open in new window

Question by:nabeel92

    Author Comment

    My current google search is telling me to use 'fixup protocol ppptp' ? is that the case !

    Accepted Solution

    Done, just had to inspect pptp in default pix policy. that's it ! That way, it allows the return gre traffic initiated by the vpn server sitting outside the network !

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now