bominthu
asked on
How to allow PPTP in ASA
Hi Expert,
I have ASA firewall(124.11.xx.xx) and VPN server (192.168.10.10 ) in office . I've tested dialup VPN inside office and it is working fine. I understand that we need to allow PPTP and GRE and I followed the instruction from here http://www.tech21century.com/allowing-microsoft-pptp-through-cisco-asa/ (Senario2) but it doesn't work. I'm still unable to connect from outside. Could you advise which command I should use?
Rgds,
BMT
I have ASA firewall(124.11.xx.xx) and VPN server (192.168.10.10 ) in office . I've tested dialup VPN inside office and it is working fine. I understand that we need to allow PPTP and GRE and I followed the instruction from here http://www.tech21century.com/allowing-microsoft-pptp-through-cisco-asa/ (Senario2) but it doesn't work. I'm still unable to connect from outside. Could you advise which command I should use?
Rgds,
BMT
ASKER
I added this command
static (inside,outside) tcp interface pptp 192.168.10.10 pptp netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.10.10 pptp netmask 255.255.255.255
Sorry, no go. You'll need a separate public to make that work. So something like:
static (inside,outside) 124.11.xx.yy 192.168.10.10 netmask 255.255.255.255
GRE (a seperate protocol) cannot travel through an ip that is PATted.
static (inside,outside) 124.11.xx.yy 192.168.10.10 netmask 255.255.255.255
GRE (a seperate protocol) cannot travel through an ip that is PATted.
ASKER
When I set that, I get below error
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
As I said, a separate public address. When using 'interface' you use the public IP of the outside interface. Do you have more than one public address?
ASKER
i have more than 1 public IP but not in used.
Only 1 is in used for the moment
Only 1 is in used for the moment
Ok then try setting this up with one of the unused public ip's.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I enable logging and try to connect to VPN and find out the cause after I checked the logs.
It was due to access list I setup in firewall
It was due to access list I setup in firewall
I'm curious, is that without using a separate public IP in the static command?
ASKER
Yep, i really don' t understand why u wanna use seperare public ip
Well, because when your vpn server is on the inside you can't get GRE through an address that is patted. That's why I'm curious how you got it to work (haven't seen your config of course).
ASKER
Erniebeek,
Yea thanks for ur help.
Rgds
BMT
Yea thanks for ur help.
Rgds
BMT
Don't get me wrong. Just trying to comprehend what is making it work on your side (I'm always trying to learn as well :)
I completely understand if for you the issue has been resolved and you are finished with it.
No problem.
I completely understand if for you the issue has been resolved and you are finished with it.
No problem.
Like: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#pptpwith