Solved

Cisco ASA PPTP VPN Problem

Posted on 2010-09-04
5
1,709 Views
Last Modified: 2012-05-10
Hello boys and girls, hopefully someone will spot a blatent error in my config and help me out here. Basically, I've just installed an ASA for a client who's remote workers connect to a Windows Server 2003 PPTP VPN inorder to do their remote work and it doesn't work! I've exhausted myself trying to debug the code. I know you are all going to shout "switch to SSL VPN" at me but this is not an option at the moment due to the number of VPN users I need to re-train on how to use this service in the short term however, this will be rolled out in the long term.

Although I have PPTP (tcp/1723) permitted on the ASA as well as GRE (protocol 47) enabled in both directions with PPTP beng NAT-ed to the WIndows server the ASA still refuses the connection with th error "Deny inbound protocol 47 src outside:<CONNECTING IP> dst outside:SBS-EXCH-outside" in the syslog.

I've included a copy of the config with some bits hashed out. Please can someone help and save me an embarrasing situation on Monday morning!  Cheers.
ASA Version 8.0(3)

!

hostname asa1

domain-name domain.local

enable password ####### encrypted

names

name 62.49.74.99 ASA-outside

name 192.168.0.3 CTX-inside

name 62.49.74.100 CTX-outside

name 192.168.0.7 EXCH-inside

name 62.49.74.98 SBS-EXCH-outside

name 192.168.0.2 SBS-inside

name 192.168.55.1 WWW-inside

name 62.49.74.101 WWW-outside

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.0.254 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address ASA-outside 255.255.255.248

!

interface Vlan12

 nameif dmz

 security-level 50

 ip address 192.168.55.254 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

 switchport access vlan 12

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd ####### encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name videconplc.local

object-group service DM_INLINE_SERVICE_2

 service-object tcp eq www

 service-object tcp eq https

 service-object tcp eq smtp

 service-object udp eq domain

object-group service DM_INLINE_TCP_2 tcp

 port-object eq www

 port-object eq https

object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object ip

 protocol-object icmp

 protocol-object udp

 protocol-object gre

 protocol-object esp

object-group service SBS-EXCH-services tcp

 port-object eq 26675

 port-object eq 465

 port-object eq 5678

 port-object eq 5679

 port-object eq 990

 port-object eq 993

 port-object eq 995

 port-object eq 999

 port-object eq www

 port-object eq https

 port-object eq pptp

 port-object eq smtp

object-group service CTX-services tcp

 port-object eq 2598

 port-object eq citrix-ica

 port-object eq https

object-group service WWW-services tcp

 port-object eq 8010

 port-object eq www

 port-object eq https

access-list dmz_access_in extended permit icmp any any

access-list dmz_access_in extended permit tcp host WWW-inside any object-group DM_INLINE_TCP_2

access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 host WWW-inside host SBS-inside

access-list dmz_access_in extended permit tcp any any eq 5721

access-list dmz_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0

access-list dmz_nat0_outbound extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp any host WWW-outside object-group WWW-services

access-list outside_access_in extended permit tcp any host CTX-outside object-group CTX-services

access-list outside_access_in extended permit tcp any host SBS-EXCH-outside object-group SBS-EXCH-services

access-list outside_access_in extended permit gre any host SBS-EXCH-outside

access-list outside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp host EXCH-inside any eq smtp

access-list inside_access_in extended deny tcp 192.168.0.0 255.255.255.0 any eq smtp

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp SBS-EXCH-outside smtp EXCH-inside smtp netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside pptp SBS-inside pptp netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside https EXCH-inside https netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside www EXCH-inside www netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside 999 EXCH-inside 999 netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside 990 EXCH-inside 990 netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside 5678 EXCH-inside 5678 netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside 5679 EXCH-inside 5679 netmask 255.255.255.255

static (inside,outside) tcp SBS-EXCH-outside 26675 EXCH-inside 26675 netmask 255.255.255.255

static (dmz,outside) WWW-outside WWW-inside netmask 255.255.255.255

static (inside,outside) CTX-outside CTX-inside netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 62.49.74.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.41 255.255.255.255 inside

http SBS-inside 255.255.255.255 inside

http 92.26.80.165 255.255.255.255 outside

http 92.26.80.166 255.255.255.255 outside

http 87.82.107.229 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.0.41 255.255.255.255 inside

ssh SBS-inside 255.255.255.255 inside

ssh 87.82.107.229 255.255.255.255 outside

ssh 92.26.80.166 255.255.255.255 outside

ssh 92.26.80.165 255.255.255.255 outside

ssh timeout 5

console timeout 0



threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5baeb9fe615425134c523a973d0539a5

: end

Open in new window

0
Comment
Question by:jimhoodleeds
  • 4
5 Comments
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604480
access-list outside_access_in extended permit tcp any host SBS-EXCH-outside object-group SBS-EXCH-services

there is no object group under this name, I think its a typo error.. just cross check ?
========================================================================
 
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604493
please ignore my above comments .. sorry for the wrong information
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604521
what I could see is u dont have nat translation rule for GRE.

 I don't think you can use port forwarding in your case because PPTP uses TCP/1721 and GRE PROTOCOL 47. port forwarding works for TCP or UDP

Your only option is one to one static NAT

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33604564
or u can have a try like below , i am not sure about the result

access-list permit-gre permit gre host 192.168.0.2 any
static(inside,outside) 62.49.74.98 access-list permit-gre
0
 
LVL 2

Accepted Solution

by:
jimhoodleeds earned 0 total points
ID: 33606019
Thanks for the suggestion anoopkmr, however, it appears I have simply missed pptp out of the default inspection class. Added that in and works straight away. Cheers.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network Infrastructure for Branch Office 16 91
Cisco VPN Client and Windows 10 9 88
Cisco Router help 5 55
Trunk and Port Security 4 42
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now