• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3449
  • Last Modified:

Cisco ASA-5505 Blocking GRE (Protocol 47) Windows Server 2003 VPN Connectivity

I am trying to connect to a Windows 2003 Server VPN and the Cisco is blocking GRE (protocol 47).  Below is my config.  Thank for your help on the matter

User Access Verification

Password:
Password:
Type help or '?' for a list of available commands.
BCNTASA> en
Password: ****
BCNTASA# conf t
BCNTASA(config)# show run
: Saved
:
ASA Version 7.2(3)
!
hostname BCNTASA
domain-name default.domain.invalid
enable password xxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.38.XXX.XXX 255.0.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ywGUDW4qcA3ZGcgn encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_acl extended permit icmp any any
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit icmp any any unreachable
access-list outside_acl extended permit icmp any any time-exceeded
access-list outside_acl extended permit tcp any host 69.38.XXX.XXX eq smtp
access-list outside_acl extended permit tcp any host 69.38.XXX.XXX eq 3389
access-list outside_acl extended permit tcp any host 69.38.XXX.XXX eq https
access-list outside_acl extended permit tcp any host 69.38.XXX.XXX eq www
access-list outside_acl extended permit tcp any host 69.38.XXX.XXX eq 3389
access-list outside_acl extended permit tcp any host 69.38.XXX.XXX eq pptp
access-list outside_acl extended permit esp host 192.168.2.3 host 69.38.54.122
access-list outside_acl extended permit ah host 192.168.2.3 host 69.38.54.122
access-list outside_acl extended permit ip host 192.168.2.3 host 69.38.54.122
access-list outside_acl extended permit gre any host 69.38.XXX.XXX
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.2.3 smtp netmask 255.255.255.
255
static (inside,outside) tcp interface 3389 192.168.2.3 3389 netmask 255.255.255.
255
static (inside,outside) tcp interface https 192.168.2.3 https netmask 255.255.25
5.255
static (inside,outside) tcp interface www 192.168.2.3 www netmask 255.255.255.25
5
static (inside,outside) tcp 69.38.XXX.XXX 3389 192.168.2.4 3389 netmask 255.255.2
55.255
static (inside,outside) tcp interface pptp 192.168.2.3 pptp netmask 255.255.255.
255
static (inside,outside) 69.38.XXX.XXX 192.168.2.3 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 69.38.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dd8e4096559125828313ee15b10b605e
: end

Open in new window

0
jalfano
Asked:
jalfano
1 Solution
 
Ken BooneNetwork ConsultantCommented:
Try this:

policy-map global_policy
 class inspection_default
  inspect pptp

You can also refer to this doc:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#new
0
 
ragnarok89Commented:
I haven't worked on PIX in a while, but I don't see a rule that allows traffic on port 47...
0
 
Ernie BeekExpertCommented:
You will need a one to one nat to the server ( static command without the 'tcp') and an entry in you ACL for pptp and gre.
So it looks like you have all the lines there but 69.38.XXX.XXX has to be  one on one (excusively) to 192.168.2.3. I assume that is the server:

static (inside,outside) 69.38.XXX.XXX 192.168.2.3 netmask 255.255.255.255
access-list outside_acl extended permit gre any host 69.38.XXX.XXX
access-list outside_acl extended permit tcp any host 69.38.XXX.XXX eq pptp
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Hello

ragnarok89: gre is not a port, it is a protocol.

jalfano: Do you have any hit counts on this acl line?
access-list outside_acl extended permit gre any host 69.38.XXX.XXX

Best regards
Kvistofta
0
 
jalfanoAuthor Commented:
Excellent Help!!  Thank you for the quick solution
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now