RRAS behind Cisco AS505 ASA V8.2(5)

smccurnin
smccurnin used Ask the Experts™
on
Can anyone explain setting this up through the ASA interface? I'm trying to tunnel through this router to my RRAS box for VPN connections. I'm not a Cisco command line expert so I haven't tried to use the one's out there. A step by step through the ASA setup steps would be greatly appreciated.

I'm aware I need to forward GRE and IP port 1723 to my RRAS box. Seems like I keep losing internet connectivity when I do this.


Thanks in advance....
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Found that pretty early on, was looking for instructions on using the web interface. Thanks though.
It is simpler to go through the steps on the command line than it is to do it in ASDM.

There is no "web interface" for the ASA firewall.

It would be easier to help you if you posted a suitably sanitised copy of your config

this might be of help in sanitising your config

http://www.experts-exchange.com/Hardware/Networking_Hardware/A_10296-How-to-sanitise-a-Cisco-config-for-Experts-Exchange.html
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
I'll run some stuff I've found already through the CLI and if it doesn't work I'll post the config output if needed. I was hoping to avoid the command line.

Thanks
take a backup first, either  tools | backup in ASDM

or in a console "copy run backup<date/time/otheridentifier>"

or to copy it off the ASA "copy run tftp"

Author

Commented:
Ok here's the output of show running-config. Hopefully it's sanitized properly.
Thanks in advance :)


ASA Version 8.2(5)
!
hostname ciscoasa
domain-name EXAMPLE.local
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
names
name 10.77.88.145 Gateway description Public Gateway
name 10.77.88.148 InternalGateway
name 10.18.1.0 XXXHosting
name 192.168.5.0 Internal_Network_XXXHosting
name 192.168.3.3 EXAMPLE-Ras-Norfolk description Ras VPN Server
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
             
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address InternalGateway 255.255.255.240
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name EXAMPLE.local
object-group service L2TP tcp
 port-object eq 1701

             
object-group service PPTP tcp
 port-object eq 47
access-list outside_1_cryptomap extended permit ip Internal_Network_XXXHosting 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 Internal_Network_XXXHosting 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 Internal_Network_XXXHosting 255.255.255.0
access-list inside_nat0_outbound extended permit ip Internal_Network_XXXHosting 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq 1701
access-list outside_access_in extended permit udp any interface outside eq isakmp
access-list outside_access_in extended permit gre any host EXAMPLE-Ras-Norfolk
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 Gateway 1
timeout xlate 3:00:00
             
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
             
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer XX.140.60.100 <XX redacted>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca
//////////////////////<redacted>///////////////////////////////////////////////////
  quit
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside

             
!
dhcpd address 192.168.3.100-192.168.3.200 inside
dhcpd dns 192.168.3.2 192.168.5.2 interface inside
dhcpd lease 86400 interface inside
dhcpd domain EXAMPLE.Local interface inside
dhcpd option 3 ip 192.168.3.1 interface inside
dhcpd option 6 ip 192.168.3.2 192.168.5.2 interface inside
dhcpd option 15 ascii EXAMPLE.Local interface inside
!
dhcprelay server 192.168.3.2 inside
dhcprelay enable outside
dhcprelay timeout 60

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.3.2 source inside prefer
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1 null-sha1
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec
username USER password  XXXXXXXX encrypted privilege 15
username USER password XXXXXXX  encrypted privilege 15
tunnel-group XX.140.60.100 type ipsec-l2l <XX redacted>
             
tunnel-group XX.140.60.100 ipsec-attributes <"XX"redacted>
 pre-shared-key *****
!
class-map global-class
 match any
!
!
policy-map global-policy
 class global-class
  inspect pptp
  set connection random-sequence-number disable
!
service-policy global-policy global
prompt hostname context
call-home reporting anonymous
call-home
 contact-email-addr NetworkEngineering@Isisinc.com
 contact-name Isis
 phone-number 804-762-4200
 sender from EXAMPLEASA@EXAMPLE.com
 street-address 2727 Enterprise Parkway, Suite 100 Richmond VA 23294
 mail-server email.isisinc.com priority 1
 profile CiscoTAC-1
  no active
             
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b739b74fa516dae9dcc7080465b06ed6
: end
You have the PPTP inspect set correctly :-)

The PPTP port needs to be changed

object-group service PPTP tcp
 no port-object eq 47
 port-object eq 1723

Open in new window


An ACL to allow the traffic on 1723 is also needed

access-list outside_access_in extended permit tcp any interface outside eq 1723

Open in new window


With the PPTP inspect, I'm fairly sure that you can remove the NAT for GRE

no access-list outside_access_in extended permit gre any host EXAMPLE-Ras-Norfolk 

Open in new window


Then you need a NAT rule.

I tend to use ACLs to define NAT rules.

In the Below RRAS sever is the name (if already defined) or the IP address of your RRAS server. If you wanted to use an address other than the interface address, you would replace "interface" with the  name (if already defined) or the IP address.

access-list PPTP_To_RRAS_Server extended permit tcp host <RRAS_SERVER> eq 1723 any
static (inside,outside) tcp interface 1723 access-list PPTP_To_RRAS_Server 

Open in new window

Author

Commented:
Thanks! That was fast. I'll try this later after hours and report back.

Author

Commented:
Great clear explanation! Thanks again. We're up and running. :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial