Solved

Cisco ASA PPTP VPN Problem

Posted on 2010-09-04
5
1,742 Views
Last Modified: 2012-05-10
Hello boys and girls, hopefully someone will spot a blatent error in my config and help me out here. Basically, I've just installed an ASA for a client who's remote workers connect to a Windows Server 2003 PPTP VPN inorder to do their remote work and it doesn't work! I've exhausted myself trying to debug the code. I know you are all going to shout "switch to SSL VPN" at me but this is not an option at the moment due to the number of VPN users I need to re-train on how to use this service in the short term however, this will be rolled out in the long term.

Although I have PPTP (tcp/1723) permitted on the ASA as well as GRE (protocol 47) enabled in both directions with PPTP beng NAT-ed to the WIndows server the ASA still refuses the connection with th error "Deny inbound protocol 47 src outside:<CONNECTING IP> dst outside:SBS-EXCH-outside" in the syslog.

I've included a copy of the config with some bits hashed out. Please can someone help and save me an embarrasing situation on Monday morning!  Cheers.
ASA Version 8.0(3)
!
hostname asa1
domain-name domain.local
enable password ####### encrypted
names
name 62.49.74.99 ASA-outside
name 192.168.0.3 CTX-inside
name 62.49.74.100 CTX-outside
name 192.168.0.7 EXCH-inside
name 62.49.74.98 SBS-EXCH-outside
name 192.168.0.2 SBS-inside
name 192.168.55.1 WWW-inside
name 62.49.74.101 WWW-outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ASA-outside 255.255.255.248
!
interface Vlan12
 nameif dmz
 security-level 50
 ip address 192.168.55.254 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ####### encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name videconplc.local
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq www
 service-object tcp eq https
 service-object tcp eq smtp
 service-object udp eq domain
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object gre
 protocol-object esp
object-group service SBS-EXCH-services tcp
 port-object eq 26675
 port-object eq 465
 port-object eq 5678
 port-object eq 5679
 port-object eq 990
 port-object eq 993
 port-object eq 995
 port-object eq 999
 port-object eq www
 port-object eq https
 port-object eq pptp
 port-object eq smtp
object-group service CTX-services tcp
 port-object eq 2598
 port-object eq citrix-ica
 port-object eq https
object-group service WWW-services tcp
 port-object eq 8010
 port-object eq www
 port-object eq https
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit tcp host WWW-inside any object-group DM_INLINE_TCP_2
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 host WWW-inside host SBS-inside
access-list dmz_access_in extended permit tcp any any eq 5721
access-list dmz_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit tcp any host WWW-outside object-group WWW-services
access-list outside_access_in extended permit tcp any host CTX-outside object-group CTX-services
access-list outside_access_in extended permit tcp any host SBS-EXCH-outside object-group SBS-EXCH-services
access-list outside_access_in extended permit gre any host SBS-EXCH-outside
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp host EXCH-inside any eq smtp
access-list inside_access_in extended deny tcp 192.168.0.0 255.255.255.0 any eq smtp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp SBS-EXCH-outside smtp EXCH-inside smtp netmask 255.255.255.255
static (inside,outside) tcp SBS-EXCH-outside pptp SBS-inside pptp netmask 255.255.255.255
static (inside,outside) tcp SBS-EXCH-outside https EXCH-inside https netmask 255.255.255.255
static (inside,outside) tcp SBS-EXCH-outside www EXCH-inside www netmask 255.255.255.255
static (inside,outside) tcp SBS-EXCH-outside 999 EXCH-inside 999 netmask 255.255.255.255
static (inside,outside) tcp SBS-EXCH-outside 990 EXCH-inside 990 netmask 255.255.255.255
static (inside,outside) tcp SBS-EXCH-outside 5678 EXCH-inside 5678 netmask 255.255.255.255
static (inside,outside) tcp SBS-EXCH-outside 5679 EXCH-inside 5679 netmask 255.255.255.255
static (inside,outside) tcp SBS-EXCH-outside 26675 EXCH-inside 26675 netmask 255.255.255.255
static (dmz,outside) WWW-outside WWW-inside netmask 255.255.255.255
static (inside,outside) CTX-outside CTX-inside netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 62.49.74.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.41 255.255.255.255 inside
http SBS-inside 255.255.255.255 inside
http 92.26.80.165 255.255.255.255 outside
http 92.26.80.166 255.255.255.255 outside
http 87.82.107.229 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.0.41 255.255.255.255 inside
ssh SBS-inside 255.255.255.255 inside
ssh 87.82.107.229 255.255.255.255 outside
ssh 92.26.80.166 255.255.255.255 outside
ssh 92.26.80.165 255.255.255.255 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5baeb9fe615425134c523a973d0539a5
: end

Open in new window

0
Comment
Question by:jimhoodleeds
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604480
access-list outside_access_in extended permit tcp any host SBS-EXCH-outside object-group SBS-EXCH-services

there is no object group under this name, I think its a typo error.. just cross check ?
========================================================================
 
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604493
please ignore my above comments .. sorry for the wrong information
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604521
what I could see is u dont have nat translation rule for GRE.

 I don't think you can use port forwarding in your case because PPTP uses TCP/1721 and GRE PROTOCOL 47. port forwarding works for TCP or UDP

Your only option is one to one static NAT

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604564
or u can have a try like below , i am not sure about the result

access-list permit-gre permit gre host 192.168.0.2 any
static(inside,outside) 62.49.74.98 access-list permit-gre
0
 
LVL 2

Accepted Solution

by:
jimhoodleeds earned 0 total points
ID: 33606019
Thanks for the suggestion anoopkmr, however, it appears I have simply missed pptp out of the default inspection class. Added that in and works straight away. Cheers.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question