tobyhansen
asked on
Error Using Cisco VPN client behind ASA
I am receiving this error when trying to use a Cisco VPN client behind an ASA FW. I have added an inbound rule on my outbound interface allowing PPTP and GRE TCP traffic and still is not working. Is this correct or is there something on the ASA preventing me from using VPN clients from my net outbound to a clients location? I have no ACL's on my internal IF, just the implicit rules. What am I missing?
You could enable inspection of the outbound PPTP packets:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect pptp
service-policy global-policy global
This will allow the GRE protocol out through the ASA.
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect pptp
service-policy global-policy global
This will allow the GRE protocol out through the ASA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What's the error?
You can NOT use Cisco VPN Client behind PAT devices such as ASA Firewall unless you disable the PAT funcation of firewall, But it make your machine direct connect to internet without firewall protection.
The VPN tunnel can be succefully formed behind PAT inplace.
Sorry!!! The VPN tunnel can NOT be succefully formed behind PAT inplace.
ASKER
Thank you, this is what I had to enable on my ASA to get this working -
You were on the right track. Sorry I didn't have more specific errors or details. I was in a rush when I posted this ?.
Add PPTP inspection to the default policy-map using the default class-map.
pixfirewall(config)#policy -map global_policy
pixfirewall(config-pmap)#c lass inspection_default
pixfirewall(config-pmap-c) #inspect pptp
You were on the right track. Sorry I didn't have more specific errors or details. I was in a rush when I posted this ?.
Add PPTP inspection to the default policy-map using the default class-map.
pixfirewall(config)#policy
pixfirewall(config-pmap)#c
pixfirewall(config-pmap-c)
Lets be clear about which vpn client you are using... is it the Cisco client or the MS PPTP client?
If it is the cisco client make sure you have Nat-T turned on
isakmp nat-traversal 20
The remote end should have NAT-T turned on also.