[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Error Using Cisco VPN client behind ASA

Posted on 2010-01-06
8
Medium Priority
?
744 Views
Last Modified: 2012-08-13
I am receiving this error when trying to use a Cisco VPN client behind an ASA FW. I have added an inbound rule on my outbound interface allowing PPTP and GRE TCP traffic and still is not working. Is this correct or is there something on the ASA preventing me from using VPN clients from my net outbound to a clients location? I have no ACL's on my internal IF, just the implicit rules. What am I missing?
0
Comment
Question by:tobyhansen
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 26195272
You don't need inbound rules for clients trying to get outbound....  

Lets be clear about which vpn client you are using... is it the Cisco client or the MS PPTP client?  

If it is the cisco client make sure you have Nat-T turned on
isakmp nat-traversal 20

The remote end should have NAT-T turned on also.  


0
 
LVL 1

Expert Comment

by:TSG_Users
ID: 26195544
You could enable inspection of the outbound PPTP packets:

 class-map global-class
        match default-inspection-traffic
      policy-map global-policy
        class global-class
          inspect pptp
      service-policy global-policy global

This will allow the GRE protocol out through the ASA.
0
 
LVL 1

Accepted Solution

by:
TSG_Users earned 2000 total points
ID: 26195616
or if it is the Cisco VPN client that you are using then it will be using IPsec not GRE and you could try adding this:

 class-map global-class
        match default-inspection-traffic
      policy-map global-policy
        class global-class
          inspect ipsec-pass-thru
      service-policy global-policy global
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
LVL 20

Expert Comment

by:RPPreacher
ID: 26196113
What's the error?
0
 
LVL 2

Expert Comment

by:tim1128
ID: 26198493
You can NOT use Cisco VPN Client behind PAT devices such as ASA Firewall unless you disable the PAT funcation of firewall, But it make your machine direct connect to internet without firewall protection.
0
 
LVL 2

Expert Comment

by:tim1128
ID: 26198500
The VPN tunnel can be succefully formed behind PAT inplace.
0
 
LVL 2

Expert Comment

by:tim1128
ID: 26198504
Sorry!!! The VPN tunnel can NOT be succefully formed behind PAT inplace.
0
 
LVL 1

Author Closing Comment

by:tobyhansen
ID: 31673756
Thank you, this is what I had to enable on my ASA to get this working  -

You were on the right track. Sorry I didn't have more specific errors or details. I was in a rush when I posted this ?.

Add PPTP inspection to the default policy-map using the default class-map.
pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#inspect pptp
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month20 days, 12 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question