UAVComm
asked on
Internal user VPN to home unable to connect
I have a customer who can VPN into his home network from his hotel, but cannot VPN from our corporate office to his home. I have an ASA 5510. I do packet tracer and see that the packet gets dropped due to explicit deny all ACL. I have combed through the config to no avail. Regular VPN users can VPN in though the ASA to corporate resources. I also have a L2L vpn to another offic ethat works fine. Why is this being blocked?
pls post the ACL that your ASA used for the outside interface.
ASKER
These are all of the acl's that should pertain to this issue. I have taken some out for privacy purposes but they are for servers. I also have the L2L ACL in here too. Thanks ahead of time.
XXXXX-ASA# sh run access-list
access-list outside_access_in extended permit gre any XX.16.33.96 255.255.255.240
access-list outside_access_in extended permit tcp any XX.16.33.96 255.255.255.240 eq pptp
access-list outside_access_in extended permit esp any XX.16.33.96 255.255.255.240
access-list outside_access_in extended permit udp any XX.16.33.96 255.255.255.240 eq isakmp
access-list outside_access_in extended permit udp any XX.16.33.96 255.255.255.240 eq 4500
access-list outside_access_in extended permit tcp any XX.16.33.96 255.255.255.240 eq https
access-list outside_access_in extended permit tcp any host XX.16.33.110 eq ssh
access-list outside_access_in extended permit udp any host XX.16.33.110 eq sip
access-list outside_access_in extended permit udp any host XX.16.33.110 range 10000 20000
access-list outside_access_in extended permit tcp any host XX.16.33.100 eq 3389
access-list outside_access_in extended permit tcp any host XX.16.33.104 eq https
access-list l2l_list extended permit ip 192.168.33.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list nonat extended permit ip 192.168.33.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list cpo extended permit ip host XX.165.27.234 host XX.16.33.110
access-list cpo extended permit ip host XX.16.33.110 host XX.165.27.234
access-list cpi extended permit ip host XX.165.27.234 host XX.16.33.110
access-list cpi extended permit ip host XX.16.33.110 host XX.165.27.234
XXXXX-ASA# sh run access-list
access-list outside_access_in extended permit gre any XX.16.33.96 255.255.255.240
access-list outside_access_in extended permit tcp any XX.16.33.96 255.255.255.240 eq pptp
access-list outside_access_in extended permit esp any XX.16.33.96 255.255.255.240
access-list outside_access_in extended permit udp any XX.16.33.96 255.255.255.240 eq isakmp
access-list outside_access_in extended permit udp any XX.16.33.96 255.255.255.240 eq 4500
access-list outside_access_in extended permit tcp any XX.16.33.96 255.255.255.240 eq https
access-list outside_access_in extended permit tcp any host XX.16.33.110 eq ssh
access-list outside_access_in extended permit udp any host XX.16.33.110 eq sip
access-list outside_access_in extended permit udp any host XX.16.33.110 range 10000 20000
access-list outside_access_in extended permit tcp any host XX.16.33.100 eq 3389
access-list outside_access_in extended permit tcp any host XX.16.33.104 eq https
access-list l2l_list extended permit ip 192.168.33.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list nonat extended permit ip 192.168.33.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list cpo extended permit ip host XX.165.27.234 host XX.16.33.110
access-list cpo extended permit ip host XX.16.33.110 host XX.165.27.234
access-list cpi extended permit ip host XX.165.27.234 host XX.16.33.110
access-list cpi extended permit ip host XX.16.33.110 host XX.165.27.234
Do you know what kind of packets that VPN is using when you do a packet trace?
To make vpn connection from your corporate office to his home. You need to open ports on your inside interface by putting access list. Which vpn he is using to connect his home
ASKER
He is using the standard windows network connection (WAN miniport PPTP). Standard port 1723.
I'm not seeing any access list for this vpn. Put the access lists to open port 1723 on internal interface of pix. It should work .
ASKER
Added
access-list inside_access_out extended permit tcp 192.168.33.0 255.255.255.0 eq pptp any
access-list inside_access_out extended permit tcp 192.168.33.0 255.255.255.0 eq pptp any
ASKER
Or this one?
access-list outside_access_in extended permit tcp any eq pptp 192.168.33.0 255.255.255.0 eq pptp
access-list outside_access_in extended permit tcp any eq pptp 192.168.33.0 255.255.255.0 eq pptp
When you give sh access-list . Can you able to see hit count increasing on this access-list
access-list inside_access_out extended permit tcp 192.168.33.0 255.255.255.0 any eq pptp
access-list inside_access_out extended permit tcp 192.168.33.0 255.255.255.0 any eq pptp
ASKER
No hits yet, but I haven't tested it....
For windows vpn you need to open these port
port 1723- pptp
Port 47 -GRE
Port 50
Port 500 (You need to open this in TCP as well as UDP) -isakmp
port 1723- pptp
Port 47 -GRE
Port 50
Port 500 (You need to open this in TCP as well as UDP) -isakmp
ASKER
Should it be inside access out or outside access in? When I use packet tracer the traffic is allowed all the way through, its when it tries to come back, then I get a drop?
ASKER
I added the statements, waiting for the user to try his connection.
In inside_access_in
ASKER
access-list inside_access_out extended permit tcp any eq pptp 192.168.33.0 255.255.255.0 eq pptp
access-list inside_access_out extended permit tcp any eq 47 192.168.33.0 255.255.255.0 eq 47
access-list inside_access_out extended permit tcp any eq 50 192.168.33.0 255.255.255.0 eq 50
access-list inside_access_out extended permit tcp any eq 500 192.168.33.0 255.255.255.0 eq 500
access-list inside_access_out extended permit udp any eq 500 192.168.33.0 255.255.255.0 eq 500
None of this worked, I even added an access-group to no avail.....sigh
access-list inside_access_out extended permit tcp any eq 47 192.168.33.0 255.255.255.0 eq 47
access-list inside_access_out extended permit tcp any eq 50 192.168.33.0 255.255.255.0 eq 50
access-list inside_access_out extended permit tcp any eq 500 192.168.33.0 255.255.255.0 eq 500
access-list inside_access_out extended permit udp any eq 500 192.168.33.0 255.255.255.0 eq 500
None of this worked, I even added an access-group to no avail.....sigh
What kind of VPN that user is using. Some older VPN just cannot work with shared NAT but will work with one to one NAT or dedicated public IP.
ASKER
He is using a standard network WAN minport pptp connection. I know the firewall is blocking his access to his remote (home) computer, just can't see why (where). From his hotel he is fine (no firewalls). What do I need to do to allow pptp outbound? I have an L2L VPN connection that may be causing the issue too. Do I need to statically give this user access to his server from home? Which would seem kind of dumb if I had to do that. Hmmmm....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have not resolved my issue yet. Going to call cisco.