Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 496
  • Last Modified:

How to allow PPTP in ASA

Hi Expert,
I have ASA firewall(124.11.xx.xx)  and VPN server (192.168.10.10 ) in office . I've tested dialup VPN inside office and it is working fine. I understand that we need to allow PPTP and GRE and I followed the instruction from here http://www.tech21century.com/allowing-microsoft-pptp-through-cisco-asa/ (Senario2) but it doesn't work. I'm still unable to connect from outside. Could you advise which command I should use?

Rgds,
BMT
0
bominthu
Asked:
bominthu
  • 7
  • 7
1 Solution
 
Ernie BeekExpertCommented:
You did create a 1 to 1 static from an additional public address to the inside address?

Like: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#pptpwith
0
 
bominthuAuthor Commented:
I added this command
static (inside,outside) tcp interface pptp 192.168.10.10 pptp netmask 255.255.255.255
0
 
Ernie BeekExpertCommented:
Sorry, no go. You'll need a separate public to make that work. So something like:

static (inside,outside) 124.11.xx.yy 192.168.10.10 netmask 255.255.255.255

GRE (a seperate protocol) cannot travel through an ip that is PATted.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
bominthuAuthor Commented:
When I set that, I get below error

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
0
 
Ernie BeekExpertCommented:
As I said, a separate public address. When using 'interface' you use the public IP of the outside interface. Do you have more than one public address?
0
 
bominthuAuthor Commented:
i have more than 1 public IP but not in used.
Only 1 is in used for the moment
0
 
Ernie BeekExpertCommented:
Ok then try setting this up with one of the unused public ip's.
0
 
bominthuAuthor Commented:
Hi Erniebeek,

I enable logging and try to connect to VPN and find out the cause after I checked the logs.
It was due to access list I setup in firewall.
Problem solved

Thanks
0
 
bominthuAuthor Commented:
I enable logging and try to connect to VPN and find out the cause after I checked the logs.
It was due to access list I setup in firewall
0
 
Ernie BeekExpertCommented:
I'm curious, is that without using a separate public IP in the static command?
0
 
bominthuAuthor Commented:
Yep, i really don' t understand why u wanna use seperare public ip
0
 
Ernie BeekExpertCommented:
Well, because when your vpn server is on the inside you can't get GRE through an address that is patted. That's why I'm curious how you got it to work (haven't seen your config of course).
0
 
bominthuAuthor Commented:
Erniebeek,

Yea thanks for ur help.

Rgds
BMT
0
 
Ernie BeekExpertCommented:
Don't get me wrong. Just trying to comprehend what is making it work on your side (I'm always trying to learn as well :)
I completely understand if for you the issue has been resolved and you are finished with it.
No problem.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now