Link to home
Start Free TrialLog in
Avatar of tobyhansen
tobyhansen

asked on

Error Using Cisco VPN client behind ASA

I am receiving this error when trying to use a Cisco VPN client behind an ASA FW. I have added an inbound rule on my outbound interface allowing PPTP and GRE TCP traffic and still is not working. Is this correct or is there something on the ASA preventing me from using VPN clients from my net outbound to a clients location? I have no ACL's on my internal IF, just the implicit rules. What am I missing?
Avatar of MikeKane
MikeKane
Flag of United States of America image

You don't need inbound rules for clients trying to get outbound....  

Lets be clear about which vpn client you are using... is it the Cisco client or the MS PPTP client?  

If it is the cisco client make sure you have Nat-T turned on
isakmp nat-traversal 20

The remote end should have NAT-T turned on also.  


Avatar of TSG_Users
TSG_Users

You could enable inspection of the outbound PPTP packets:

 class-map global-class
        match default-inspection-traffic
      policy-map global-policy
        class global-class
          inspect pptp
      service-policy global-policy global

This will allow the GRE protocol out through the ASA.
ASKER CERTIFIED SOLUTION
Avatar of TSG_Users
TSG_Users

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What's the error?
You can NOT use Cisco VPN Client behind PAT devices such as ASA Firewall unless you disable the PAT funcation of firewall, But it make your machine direct connect to internet without firewall protection.
The VPN tunnel can be succefully formed behind PAT inplace.
Sorry!!! The VPN tunnel can NOT be succefully formed behind PAT inplace.
Avatar of tobyhansen

ASKER

Thank you, this is what I had to enable on my ASA to get this working  -

You were on the right track. Sorry I didn't have more specific errors or details. I was in a rush when I posted this ?.

Add PPTP inspection to the default policy-map using the default class-map.
pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#inspect pptp