Avatar of Laptev
Laptev asked on

How to allow PPTP VPN passtrough outside using ASDM ASA5505

Hello everybody,

I need help with next issue:

When I try to establish VPN connection to outside server I get:
regular translation creation failed for protocol 47 src inside:172.168.0.XX dst outside:XX.XX.74.18

I've tried all solutions I've found, but no luck.

Please help me with this issue.

I am using ASDM 5.2, ASA 7.2 and configure ASA using ASDM
Cisco

Avatar of undefined
Last Comment
Laptev

8/22/2022 - Mon
Andy Keeney

Without any config showing, it appears your access list isnt set correctly
This is a simple PPTP access list:
access-list 110 permit tcp any host x.x.x.x eq 1723
access-list 110 permit gre any host x.x.x.x
you will also need to enable fixup protocol pptp 1723
ASKER
Laptev

AndyK167: Can you please tell me how to do that with ASDM launcher?
I kind of newbie in Cisco, and I manage ASA with ASDM.

Maybe someone can help me to do that via Teamviewer?

Thank you beforehand.
ASKER
Laptev

Here is the config

SA Version 7.2(4)
!
hostname fw-asa
domain-name default.domain.invalid
enable password ************** encrypted
passwd ****************encrypted
names
dns-guard
!
interface Vlan1
 description -= To LAN =-
 nameif inside
 security-level 100
 ip address 172.168.0.1 255.255.255.0
!
interface Vlan2
 description -= ISP =-
 nameif outside
 security-level 0
 ip address 212.109.5x.xx7 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 description -= To LAN =-
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone IEV 2
clock summer-time IEV recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network DM_INLINE_NETWORK_1
 network-object host 172.168.0.66
 network-object host 172.168.0.67
 network-object host 172.168.0.68
 network-object host 172.168.0.69
access-list 1 extended permit ip host 172.168.0.2 any
access-list 1 extended permit ip host 172.168.0.5 any
access-list 1 extended permit ip host 172.168.0.6 any
access-list 1 extended permit ip host 172.168.0.8 any
access-list 1 extended permit ip host 172.168.0.10 any
access-list 1 extended permit ip host 172.168.0.12 any
access-list 1 extended permit ip host 172.168.0.13 any
access-list 1 extended permit ip host 172.168.0.14 any
access-list 1 extended permit ip host 172.168.0.15 any
access-list 1 extended permit ip host 172.168.0.16 any
access-list 1 extended permit ip host 172.168.0.17 any
access-list 1 extended permit ip 172.168.0.64 255.255.255.224 any
access-list 1 extended permit ip host 172.168.0.61 any
access-list 1 extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list 2 extended permit ip host 172.168.0.18 any
access-list 2 extended permit ip host 172.168.0.19 any
access-list 2 extended permit ip host 172.168.0.20 any
access-list 2 extended permit ip host 172.168.0.21 any
access-list 2 extended permit ip host 172.168.0.22 any
access-list 2 extended permit ip host 172.168.0.23 any
access-list 2 extended permit ip host 172.168.0.24 any
access-list 2 extended permit ip host 172.168.0.25 any
access-list 2 extended permit ip 172.168.0.96 255.255.255.224 any
access-list 2 extended permit ip host 172.168.0.62 any
access-list 2 extended permit ip host 172.168.0.75 any
access-list 3 extended permit ip host 172.168.0.26 any
access-list 3 extended permit ip host 172.168.0.27 any
access-list 3 extended permit ip host 172.168.0.28 any
access-list 3 extended permit ip host 172.168.0.29 any
access-list 3 extended permit ip host 172.168.0.30 any
access-list 3 extended permit ip host 172.168.0.31 any
access-list 3 extended permit ip host 172.168.0.32 any
access-list 3 extended permit ip host 172.168.0.33 any
access-list 3 extended permit ip 172.168.0.128 255.255.255.224 any
access-list 3 extended permit ip host 172.168.0.63 any
access-list 3 extended permit ip 172.168.0.64 255.255.255.224 any
access-list 3 extended permit ip host 172.168.0.76 any
access-list 4 extended permit ip host 172.168.0.34 any
access-list 4 extended permit ip host 172.168.0.35 any
access-list 4 extended permit ip host 172.168.0.36 any
access-list 4 extended permit ip host 172.168.0.37 any
access-list 4 extended permit ip host 172.168.0.38 any
access-list 4 extended permit ip host 172.168.0.39 any
access-list 4 extended permit ip host 172.168.0.40 any
access-list 4 extended permit ip host 172.168.0.41 any
access-list 4 extended permit ip 172.168.0.160 255.255.255.224 any
access-list 4 extended permit ip host 172.168.0.65 any
access-list 4 extended permit ip host 172.168.0.77 any
access-list 5 extended permit ip host 172.168.0.42 any
access-list 5 extended permit ip host 172.168.0.43 any
access-list 5 extended permit ip host 172.168.0.44 any
access-list 5 extended permit ip host 172.168.0.45 any
access-list 5 extended permit ip host 172.168.0.46 any
access-list 5 extended permit ip host 172.168.0.47 any
access-list 5 extended permit ip host 172.168.0.48 any
access-list 5 extended permit ip host 172.168.0.49 any
access-list 5 extended permit ip 172.168.0.192 255.255.255.224 any
access-list 5 extended permit ip host 172.168.0.50 any
access-list 5 extended permit ip host 172.168.0.51 any
access-list 5 extended permit ip host 172.168.0.52 any
access-list 5 extended permit ip host 172.168.0.53 any
access-list 5 extended permit ip host 172.168.0.54 any
access-list 5 extended permit ip host 172.168.0.55 any
access-list 5 extended permit ip host 172.168.0.56 any
access-list 5 extended permit ip host 172.168.0.57 any
access-list 5 extended permit ip host 172.168.0.58 any
access-list 5 extended permit ip host 172.168.0.59 any
access-list 5 extended permit ip host 172.168.0.60 any
access-list 5 extended permit ip host 172.168.0.11 any
access-list inside_nat0_outbound extended permit ip any 172.168.0.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.168.0.0 255.255.255.0 172.168.0.0 255.255.255.128
access-list CBRE-RA_splitTunnelAcl standard permit 172.168.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console alerts
logging monitor warnings
logging buffered warnings
logging trap warnings
logging asdm warnings
logging host inside 172.168.0.11
no logging message 106014
mtu inside 1500
mtu outside 1500
ip local pool cbre_pool 172.168.0.60-172.168.0.80 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 212.109.5x.xx4
global (outside) 2 212.109.5x.xx5
global (outside) 3 212.109.5x.xx6
global (outside) 4 212.109.5x.xx8
global (outside) 5 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list 1 dns
nat (inside) 2 access-list 2
nat (inside) 3 access-list 3
nat (inside) 4 access-list 4
nat (inside) 5 access-list 5
route outside 0.0.0.0 0.0.0.0 212.109.5x.xx3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.168.0.11 255.255.255.255 inside
http 77.52.0.0 255.255.0.0 outside
no snmp-server location
snmp-server contact
snmp-server community uacBre
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-MD5
crypto dynamic-map outside_dyn_map 40 set reverse-route
crypto map outvpn 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outvpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh 172.168.0.11 255.255.255.255 inside
ssh 77.52.0.0 255.255.0.0 outside
ssh timeout 30
console timeout 15
management-access inside

group-policy CBRE-RA internal
group-policy CBRE-RA attributes
 dns-server value 172.168.0.2
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CBRE-RA_splitTunnelAcl
 default-domain value cbre.ua
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 172.168.0.2
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value cbre.ua
username mlaptev password ** encrypted privilege 15
username mlaptev attributes
 vpn-group-policy CBRE-RA
 vpn-framed-ip-address 172.168.0.77 255.255.255.0
username yzverev password ********* encrypted privilege 0
username yzverev attributes
 vpn-group-policy CBRE-RA
username Miky password ************ encrypted privilege 15
username Miky attributes
 vpn-framed-ip-address 172.168.0.51 255.255.255.0
username oklymenko password * encrypted privilege 0
username oklymenko attributes
 vpn-group-policy CBRE-RA
 vpn-framed-ip-address 172.168.0.72 255.255.255.0
username gshevchenko password * encrypted privilege 0
username gshevchenko attributes
 vpn-group-policy CBRE-RA
username vrudenko password * encrypted privilege 0
username vrudenko attributes
 vpn-group-policy CBRE-RA
username tpotyetyenina password I* encrypted privilege 0
username tpotyetyenina attributes
 vpn-group-policy CBRE-RA
 vpn-framed-ip-address 172.168.0.74 255.255.255.0
username Michael password * nt-encrypted privilege 0
username Michael attributes
 vpn-group-policy DefaultRAGroup
username vshut password * encrypted privilege 0
username vshut attributes
 vpn-group-policy CBRE-RA
 vpn-framed-ip-address 172.168.0.77 255.255.255.0
username adenysyuk password * encrypted privilege 0
username adenysyuk attributes
 vpn-group-policy CBRE-RA
username mkurashevych password */encrypted privilege 0
username mkurashevych attributes
 vpn-group-policy CBRE-RA
username Bdfy password * encrypted privilege 15
username rkryvoshapka password * encrypted privilege 0
username rkryvoshapka attributes
 vpn-group-policy CBRE-RA
username mderenko password *  encrypted privilege 0
username mderenko attributes
 vpn-group-policy CBRE-RA
username ystepanenko password * encrypted privilege 0
username ystepanenko attributes
 vpn-group-policy CBRE-RA
username akekukh password * encrypted privilege 0
username akekukh attributes
 vpn-group-policy CBRE-RA
 vpn-framed-ip-address 172.168.0.75 255.255.255.0
username azhurakivskiy password * encrypted privilege 0
username azhurakivskiy attributes
 vpn-group-policy CBRE-RA
username Byfn password * encrypted privilege 15
username otsybko password * encrypted privilege 0
username otsybko attributes
 vpn-group-policy CBRE-RA
 vpn-framed-ip-address 172.168.0.71 255.255.255.0
username osuprun password *encrypted privilege 0
username osuprun attributes
 vpn-group-policy CBRE-RA
 vpn-framed-ip-address 172.168.0.70 255.255.255.0
username nsyvolap password * encrypted privilege 0
username nsyvolap attributes
 vpn-group-policy CBRE-RA
 vpn-framed-ip-address 172.168.0.76 255.255.255.0
username oartemchuk password * encrypted privilege 0
username oartemchuk attributes
 vpn-group-policy CBRE-RA
tunnel-group DefaultRAGroup general-attributes
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group CBRE-RA type ipsec-ra
tunnel-group CBRE-RA general-attributes
 address-pool cbre_pool
 default-group-policy CBRE-RA
tunnel-group CBRE-RA ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:
: end
asdm image disk0:/asdm-524.bin
asdm location 172.168.0.50 255.255.255.255 inside
asdm location 172.168.0.51 255.255.255.255 inside
asdm location 172.168.0.52 255.255.255.255 inside
asdm location 172.168.0.53 255.255.255.255 inside
asdm location 172.168.0.54 255.255.255.255 inside
asdm location 172.168.0.55 255.255.255.255 inside
asdm location 172.168.0.56 255.255.255.255 inside
asdm location 172.168.0.57 255.255.255.255 inside
asdm location 172.168.0.58 255.255.255.255 inside
asdm location 172.168.0.59 255.255.255.255 inside
asdm location 172.168.0.60 255.255.255.255 inside
asdm location 172.168.0.61 255.255.255.255 inside
asdm location 172.168.0.62 255.255.255.255 inside
asdm location 172.168.0.63 255.255.255.255 inside
asdm location 172.168.0.64 255.255.255.255 inside
asdm location 172.168.0.65 255.255.255.255 inside
asdm location 172.168.0.66 255.255.255.255 inside
asdm location 172.168.0.67 255.255.255.255 inside
asdm location 172.168.0.68 255.255.255.255 inside
asdm location 172.168.0.69 255.255.255.255 inside
asdm location 172.168.0.75 255.255.255.255 inside
asdm location 172.168.0.76 255.255.255.255 inside
asdm location 172.168.0.77 255.255.255.255 inside
asdm history enable
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Andy Keeney

when you say you are trying to connect to an outside server.  i assume the ASA is attempting to tunnel via VPN to another firewall.  is that correct?
ASKER
Laptev

Not exactly. I have a single desktop in my LAN that needs to connect to external PPTP server(another office) to RDP the machine in their LAN.
Without ASA VPN connection establishes fine.
Andy Keeney

so the ASA is  preventing you from using your VPN connection.  The ASA is not attempting to maintain a tunnel.  in other words your desktop is creating the tunnel and connecting to the other network.  And it bworks fine with whatever the ASA is replacing, but when you installed the ASA it appears  to be blocking something and preventing your desktop from completing the connection.  Does that about sum it up?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Laptev

Yes. The desktop is creating tunnel. And ASA is blocking. In the ASA log I get:

regular translation creation failed for protocol 47 src inside:172.168.0.11 dst outside:XXX.XXX.74.18
ASKER CERTIFIED SOLUTION
Andy Keeney

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Laptev

AndyK167,

Thank you so much! That helped!