Solved

Cisco ASA PPTP VPN Problem

Posted on 2010-09-04
5
1,694 Views
Last Modified: 2012-05-10
Hello boys and girls, hopefully someone will spot a blatent error in my config and help me out here. Basically, I've just installed an ASA for a client who's remote workers connect to a Windows Server 2003 PPTP VPN inorder to do their remote work and it doesn't work! I've exhausted myself trying to debug the code. I know you are all going to shout "switch to SSL VPN" at me but this is not an option at the moment due to the number of VPN users I need to re-train on how to use this service in the short term however, this will be rolled out in the long term.

Although I have PPTP (tcp/1723) permitted on the ASA as well as GRE (protocol 47) enabled in both directions with PPTP beng NAT-ed to the WIndows server the ASA still refuses the connection with th error "Deny inbound protocol 47 src outside:<CONNECTING IP> dst outside:SBS-EXCH-outside" in the syslog.

I've included a copy of the config with some bits hashed out. Please can someone help and save me an embarrasing situation on Monday morning!  Cheers.
ASA Version 8.0(3)

!

hostname asa1

domain-name domain.local

enable password ####### encrypted

names

name 62.49.74.99 ASA-outside

name 192.168.0.3 CTX-inside

name 62.49.74.100 CTX-outside

name 192.168.0.7 EXCH-inside

name 62.49.74.98 SBS-EXCH-outside

name 192.168.0.2 SBS-inside

name 192.168.55.1 WWW-inside

name 62.49.74.101 WWW-outside

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.0.254 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address ASA-outside 255.255.255.248

!

interface Vlan12

 nameif dmz

 security-level 50

 ip address 192.168.55.254 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

 switchport access vlan 12

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd ####### encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name videconplc.local

object-group service DM_INLINE_SERVICE_2

 service-object tcp eq www

 service-object tcp eq https

 service-object tcp eq smtp

 service-object udp eq domain

object-group service DM_INLINE_TCP_2 tcp

 port-object eq www

 port-object eq https

object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object ip

 protocol-object icmp

 protocol-object udp

 protocol-object gre

 protocol-object esp

object-group service SBS-EXCH-services tcp

 port-object eq 26675

 port-object eq 465

 port-object eq 5678

 port-object eq 5679

 port-object eq 990

 port-object eq 993

 port-object eq 995

 port-object eq 999

 port-object eq www

 port-object eq https

 port-object eq pptp

 port-object eq smtp

object-group service CTX-services tcp

 port-object eq 2598

 port-object eq citrix-ica

 port-object eq https

object-group service WWW-services tcp

 port-object eq 8010

 port-object eq www

 port-object eq https

access-list dmz_access_in extended permit icmp any any

access-list dmz_access_in extended permit tcp host WWW-inside any object-group DM_INLINE_TCP_2

access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 host WWW-inside host SBS-inside

access-list dmz_access_in extended permit tcp any any eq 5721

access-list dmz_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0

access-list dmz_nat0_outbound extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp any host WWW-outside object-group WWW-services

access-list outside_access_in extended permit tcp any host CTX-outside object-group CTX-services

access-list outside_access_in extended permit tcp any host SBS-EXCH-outside object-group SBS-EXCH-services

access-list outside_access_in extended permit gre any host SBS-EXCH-outside

access-list outside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp host EXCH-inside any eq smtp

access-list inside_access_in extended deny tcp 192.168.0.0 255.255.255.0 any eq smtp

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp SBS-EXCH-outside smtp EXCH-inside smtp netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside pptp SBS-inside pptp netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside https EXCH-inside https netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside www EXCH-inside www netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside 999 EXCH-inside 999 netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside 990 EXCH-inside 990 netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside 5678 EXCH-inside 5678 netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside 5679 EXCH-inside 5679 netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside 26675 EXCH-inside 26675 netmask 255.255.255.255

static (dmz,outside) WWW-outside WWW-inside netmask 255.255.255.255

static (inside,outside) CTX-outside CTX-inside netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 62.49.74.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.41 255.255.255.255 inside

http SBS-inside 255.255.255.255 inside

http 92.26.80.165 255.255.255.255 outside

http 92.26.80.166 255.255.255.255 outside

http 87.82.107.229 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.0.41 255.255.255.255 inside

ssh SBS-inside 255.255.255.255 inside

ssh 87.82.107.229 255.255.255.255 outside

ssh 92.26.80.166 255.255.255.255 outside

ssh 92.26.80.165 255.255.255.255 outside

ssh timeout 5

console timeout 0



threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5baeb9fe615425134c523a973d0539a5

: end

Open in new window

0
Comment
Question by:jimhoodleeds
  • 4
5 Comments
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604480
access-list outside_access_in extended permit tcp any host SBS-EXCH-outside object-group SBS-EXCH-services

there is no object group under this name, I think its a typo error.. just cross check ?
========================================================================
 
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604493
please ignore my above comments .. sorry for the wrong information
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604521
what I could see is u dont have nat translation rule for GRE.

 I don't think you can use port forwarding in your case because PPTP uses TCP/1721 and GRE PROTOCOL 47. port forwarding works for TCP or UDP

Your only option is one to one static NAT

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604564
or u can have a try like below , i am not sure about the result

access-list permit-gre permit gre host 192.168.0.2 any
static(inside,outside) 62.49.74.98 access-list permit-gre
0
 
LVL 2

Accepted Solution

by:
jimhoodleeds earned 0 total points
ID: 33606019
Thanks for the suggestion anoopkmr, however, it appears I have simply missed pptp out of the default inspection class. Added that in and works straight away. Cheers.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now