?
Solved

Internal user VPN to home unable to connect

Posted on 2010-01-12
19
Medium Priority
?
397 Views
Last Modified: 2012-05-08
I have a customer who can VPN into his home network from his hotel, but cannot VPN from our corporate office to his home. I have an ASA 5510. I do packet tracer and see that the packet gets dropped due to explicit deny all ACL. I have combed through the config to no avail. Regular VPN users can VPN in though the ASA to corporate resources. I also have a L2L vpn to another offic ethat works fine. Why is this being blocked?
0
Comment
Question by:UAVComm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
  • 4
19 Comments
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26297274
pls post the ACL that your ASA used for the outside interface.
0
 

Author Comment

by:UAVComm
ID: 26298206
These are all of the acl's that should pertain to this issue. I have taken some out for privacy purposes but they are for servers. I also have the L2L ACL in here too. Thanks ahead of time.



XXXXX-ASA# sh run access-list
access-list outside_access_in extended permit gre any XX.16.33.96 255.255.255.240
access-list outside_access_in extended permit tcp any XX.16.33.96 255.255.255.240 eq pptp
access-list outside_access_in extended permit esp any XX.16.33.96 255.255.255.240
access-list outside_access_in extended permit udp any XX.16.33.96 255.255.255.240 eq isakmp
access-list outside_access_in extended permit udp any XX.16.33.96 255.255.255.240 eq 4500
access-list outside_access_in extended permit tcp any XX.16.33.96 255.255.255.240 eq https
access-list outside_access_in extended permit tcp any host XX.16.33.110 eq ssh
access-list outside_access_in extended permit udp any host XX.16.33.110 eq sip
access-list outside_access_in extended permit udp any host XX.16.33.110 range 10000 20000


access-list outside_access_in extended permit tcp any host XX.16.33.100 eq 3389
access-list outside_access_in extended permit tcp any host XX.16.33.104 eq https

access-list l2l_list extended permit ip 192.168.33.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list nonat extended permit ip 192.168.33.0 255.255.255.0 192.168.34.0 255.255.255.0

access-list cpo extended permit ip host XX.165.27.234 host XX.16.33.110
access-list cpo extended permit ip host XX.16.33.110 host XX.165.27.234
access-list cpi extended permit ip host XX.165.27.234 host XX.16.33.110
access-list cpi extended permit ip host XX.16.33.110 host XX.165.27.234
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26299960
Do you know what kind of packets that VPN is using when you do a packet trace?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26301821
To make vpn connection from your corporate office to his home. You need to open ports on your inside interface by putting access list. Which vpn he is using to connect his home
0
 

Author Comment

by:UAVComm
ID: 26303366
He is using the standard windows network connection (WAN miniport PPTP). Standard port 1723.
0
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26303432
I'm not seeing any access list for this vpn. Put the access lists to open port 1723 on internal interface of pix. It should work .

 
0
 

Author Comment

by:UAVComm
ID: 26304450
Added

access-list inside_access_out extended permit tcp 192.168.33.0 255.255.255.0 eq pptp any
0
 

Author Comment

by:UAVComm
ID: 26305081
Or this one?

access-list outside_access_in extended permit tcp any eq pptp 192.168.33.0 255.255.255.0 eq pptp
0
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26305129
When you give sh access-list . Can you able to see hit count increasing on this access-list

access-list inside_access_out extended permit tcp 192.168.33.0 255.255.255.0 any  eq pptp

0
 

Author Comment

by:UAVComm
ID: 26305199
No hits yet, but I haven't tested it....
0
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26305299
For windows vpn you need to open these port

port 1723- pptp
Port 47 -GRE
Port 50
Port 500 (You need to open this in TCP as well as UDP)  -isakmp
0
 

Author Comment

by:UAVComm
ID: 26305565
Should it be inside access out or outside access in? When I use packet tracer the traffic is allowed all the way through, its when it tries to come back, then I get a drop?
0
 

Author Comment

by:UAVComm
ID: 26305571
I added the statements, waiting for the user to try his connection.
0
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26305806
In   inside_access_in
0
 

Author Comment

by:UAVComm
ID: 26307894
access-list inside_access_out extended permit tcp any eq pptp 192.168.33.0 255.255.255.0 eq pptp
access-list inside_access_out extended permit tcp any eq 47 192.168.33.0 255.255.255.0 eq 47
access-list inside_access_out extended permit tcp any eq 50 192.168.33.0 255.255.255.0 eq 50
access-list inside_access_out extended permit tcp any eq 500 192.168.33.0 255.255.255.0 eq 500
access-list inside_access_out extended permit udp any eq 500 192.168.33.0 255.255.255.0 eq 500

None of this worked, I even added an access-group to no avail.....sigh
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26307990
What kind of VPN that user is using. Some older VPN just cannot work with shared NAT but will work with one to one NAT or dedicated public IP.
0
 

Author Comment

by:UAVComm
ID: 26308386
He is using a standard network WAN minport pptp connection. I know the firewall is blocking his access to his remote (home) computer, just can't see why (where). From his hotel he is fine (no firewalls). What do I need to do to allow pptp outbound? I have an L2L VPN connection that may be causing the issue too. Do I need to statically give this user access to his server from home? Which would seem kind of dumb if I had to do that. Hmmmm....
0
 
LVL 13

Accepted Solution

by:
GuruChiu earned 1000 total points
ID: 26311356
Some older version of Windows PPTP server do not support NAT-T. Make sure yours support that. Without NAT-T, PPTP VPN will not work behind a PAT (Port address translation, which is what you are using now) firewall.
0
 

Author Closing Comment

by:UAVComm
ID: 31676335
I have not resolved my issue yet. Going to call cisco.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month9 days, 12 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question