Solved

ASA5510 and ISA 2006

Posted on 2011-03-10
5
632 Views
Last Modified: 2012-05-11
Hi all,

Currently we have a PIX515 as our Internet Edge FW connecting to an ISA 2006 server.  We also have remote VPN users who use Windows Dial-Up networking (PPTP)  terminating on the PIX.  Now we need to replace the PIX with an ASA5510.  As this cutover needs to be transparent to the VPN users we will need to terminate the VPN connections on the ISA as the ASA does not support PPTP.

Any suggestions on the best way to allow the passthrough to the ISA server and is there any other stumbling blocks that would be in my way when I replace the PIX with the ASA?
0
Comment
Question by:MadMenSA
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35093511
For PPTP passthrough you would need to allow the GRE protocol and tcp port 1723 to the ISA server:

access-list acl_outside permit gre any host vpn_external
access-list acl_outside permit tcp any host vpn_external eq 1723

And apply it of course:
access-group acl_outside in interface outside

And you will need a 1-1 static:
static (inside,outside) vpn_external vpn_internal netmask 255.255.255.255

That should do it.
0
 

Author Comment

by:MadMenSA
ID: 35094734
Thanks erniebeek.

Would I need to include an inspect PPTP command?  

Also, any ideas on the VPN server config on the ISA?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35096142
If I remember correctly that should only be necessary for outgoing connections. On the other hand, it wouldn't hurt to try.

I'm not an ISA guru, but this might help you, though it's for 2004: http://technet.microsoft.com/nl-nl/library/cc713329(en-us).aspx

If we're lucky, keith_alabaster might drop by (that's the man from I.S.A.  :)
0
 

Author Comment

by:MadMenSA
ID: 35096259
Thanks erniebeek.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35096455
Thank you (for the points as well), glad I could help.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512 LAN Config 16 79
Help with a subnetting question 7 58
Cisco Router Security Commands. 2 31
Cisco 2960 unable to add SFP modules to device 9 68
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question