?
Solved

Internal user VPN to home unable to connect

Posted on 2010-01-12
19
Medium Priority
?
401 Views
Last Modified: 2012-05-08
I have a customer who can VPN into his home network from his hotel, but cannot VPN from our corporate office to his home. I have an ASA 5510. I do packet tracer and see that the packet gets dropped due to explicit deny all ACL. I have combed through the config to no avail. Regular VPN users can VPN in though the ASA to corporate resources. I also have a L2L vpn to another offic ethat works fine. Why is this being blocked?
0
Comment
Question by:UAVComm
  • 10
  • 5
  • 4
19 Comments
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26297274
pls post the ACL that your ASA used for the outside interface.
0
 

Author Comment

by:UAVComm
ID: 26298206
These are all of the acl's that should pertain to this issue. I have taken some out for privacy purposes but they are for servers. I also have the L2L ACL in here too. Thanks ahead of time.



XXXXX-ASA# sh run access-list
access-list outside_access_in extended permit gre any XX.16.33.96 255.255.255.240
access-list outside_access_in extended permit tcp any XX.16.33.96 255.255.255.240 eq pptp
access-list outside_access_in extended permit esp any XX.16.33.96 255.255.255.240
access-list outside_access_in extended permit udp any XX.16.33.96 255.255.255.240 eq isakmp
access-list outside_access_in extended permit udp any XX.16.33.96 255.255.255.240 eq 4500
access-list outside_access_in extended permit tcp any XX.16.33.96 255.255.255.240 eq https
access-list outside_access_in extended permit tcp any host XX.16.33.110 eq ssh
access-list outside_access_in extended permit udp any host XX.16.33.110 eq sip
access-list outside_access_in extended permit udp any host XX.16.33.110 range 10000 20000


access-list outside_access_in extended permit tcp any host XX.16.33.100 eq 3389
access-list outside_access_in extended permit tcp any host XX.16.33.104 eq https

access-list l2l_list extended permit ip 192.168.33.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list nonat extended permit ip 192.168.33.0 255.255.255.0 192.168.34.0 255.255.255.0

access-list cpo extended permit ip host XX.165.27.234 host XX.16.33.110
access-list cpo extended permit ip host XX.16.33.110 host XX.165.27.234
access-list cpi extended permit ip host XX.165.27.234 host XX.16.33.110
access-list cpi extended permit ip host XX.16.33.110 host XX.165.27.234
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26299960
Do you know what kind of packets that VPN is using when you do a packet trace?
0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26301821
To make vpn connection from your corporate office to his home. You need to open ports on your inside interface by putting access list. Which vpn he is using to connect his home
0
 

Author Comment

by:UAVComm
ID: 26303366
He is using the standard windows network connection (WAN miniport PPTP). Standard port 1723.
0
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26303432
I'm not seeing any access list for this vpn. Put the access lists to open port 1723 on internal interface of pix. It should work .

 
0
 

Author Comment

by:UAVComm
ID: 26304450
Added

access-list inside_access_out extended permit tcp 192.168.33.0 255.255.255.0 eq pptp any
0
 

Author Comment

by:UAVComm
ID: 26305081
Or this one?

access-list outside_access_in extended permit tcp any eq pptp 192.168.33.0 255.255.255.0 eq pptp
0
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26305129
When you give sh access-list . Can you able to see hit count increasing on this access-list

access-list inside_access_out extended permit tcp 192.168.33.0 255.255.255.0 any  eq pptp

0
 

Author Comment

by:UAVComm
ID: 26305199
No hits yet, but I haven't tested it....
0
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26305299
For windows vpn you need to open these port

port 1723- pptp
Port 47 -GRE
Port 50
Port 500 (You need to open this in TCP as well as UDP)  -isakmp
0
 

Author Comment

by:UAVComm
ID: 26305565
Should it be inside access out or outside access in? When I use packet tracer the traffic is allowed all the way through, its when it tries to come back, then I get a drop?
0
 

Author Comment

by:UAVComm
ID: 26305571
I added the statements, waiting for the user to try his connection.
0
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26305806
In   inside_access_in
0
 

Author Comment

by:UAVComm
ID: 26307894
access-list inside_access_out extended permit tcp any eq pptp 192.168.33.0 255.255.255.0 eq pptp
access-list inside_access_out extended permit tcp any eq 47 192.168.33.0 255.255.255.0 eq 47
access-list inside_access_out extended permit tcp any eq 50 192.168.33.0 255.255.255.0 eq 50
access-list inside_access_out extended permit tcp any eq 500 192.168.33.0 255.255.255.0 eq 500
access-list inside_access_out extended permit udp any eq 500 192.168.33.0 255.255.255.0 eq 500

None of this worked, I even added an access-group to no avail.....sigh
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26307990
What kind of VPN that user is using. Some older VPN just cannot work with shared NAT but will work with one to one NAT or dedicated public IP.
0
 

Author Comment

by:UAVComm
ID: 26308386
He is using a standard network WAN minport pptp connection. I know the firewall is blocking his access to his remote (home) computer, just can't see why (where). From his hotel he is fine (no firewalls). What do I need to do to allow pptp outbound? I have an L2L VPN connection that may be causing the issue too. Do I need to statically give this user access to his server from home? Which would seem kind of dumb if I had to do that. Hmmmm....
0
 
LVL 13

Accepted Solution

by:
GuruChiu earned 1000 total points
ID: 26311356
Some older version of Windows PPTP server do not support NAT-T. Make sure yours support that. Without NAT-T, PPTP VPN will not work behind a PAT (Port address translation, which is what you are using now) firewall.
0
 

Author Closing Comment

by:UAVComm
ID: 31676335
I have not resolved my issue yet. Going to call cisco.
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month9 days, 4 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question