Solved: How to limit client Outbound PPTP VPN connection

kpoon · ‎07-03-2007

We have an ASA and have inspect pptp enable. However, is there a way to allow the outgoing pptp connections from our LAN 192.168.0.0 to certain specific IP on the internet such as 88.88.88.88 and 89.89.89.89 thru ACL? Right now, users can connect to any PPTP VPN outside as they please.

I have tried with NAT with no luck

This is the error message I got before enable inspect pptp.

3|Jul 03 2007 13:36:33|305006: regular translation creation failed for protocol 47 src inside:192.168.1.199 dst outside:66.201.201.207

and this is our config (before inspect pptp):

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service ExchangeOWA tcp

description Exchange Web and Mobile Access

port-object eq smtp

port-object eq https

port-object eq www

access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.222.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0

access-list dzm extended permit ip any any

access-list dzm extended permit icmp any any

access-list ouside extended permit ip any any

access-list cont_in extended permit ip host 66.66.66.135 any

access-list outside extended permit tcp any host 66.66.66.133 object-group ExchangeOWA

access-list outside extended permit tcp any host 66.66.66.137 eq pptp

access-list outside extended permit gre any host 66.66.66.137

access-list outside extended permit icmp any any echo-reply

access-list outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0

access-list Split_tunnel_ACL standard permit 192.168.0.0 255.255.0.0

access-list outside_cryptomap_80 extended permit ip 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.222.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool BBBB-pool 192.168.100.1-192.168.100.50 mask 255.255.255.0

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm512-k8.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) tcp 66.66.66.133 smtp 192.168.1.16 smtp netmask 255.255.255.255

static (inside,outside) tcp 66.66.66.133 www 192.168.1.16 www netmask 255.255.255.255

static (inside,outside) tcp 66.66.66.133 https 192.168.1.16 https netmask 255.255.255.255

static (inside,outside) 66.66.66.134 172.30.1.50 netmask 255.255.255.255

static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 66.66.66.129 1

route inside 192.168.1.0 255.255.255.0 192.168.10.2 1

route inside 172.30.1.0 255.255.255.0 192.168.10.2 1

route inside 172.20.20.0 255.255.255.0 192.168.10.2 1

route inside 192.168.101.0 255.255.255.0 192.168.10.2 1

route inside 192.168.102.0 255.255.255.0 192.168.10.2 1

route inside 192.168.103.0 255.255.255.0 192.168.10.2 1

route inside 192.168.106.0 255.255.255.0 192.168.10.2 1

route inside 192.168.6.0 255.255.255.0 192.168.10.2 1

route inside 192.168.3.0 255.255.255.0 192.168.10.2 1

route inside 192.168.2.0 255.255.255.0 192.168.10.2 1

timeout xlate 3:00:00

acomiskey · ‎07-04-2007

If you added the acl exactly as it appears above there would be no need to specifically allow http and https as the 2nd to last line is permit ip any any.

View solution in original post

timkaye · ‎07-04-2007

Hello.

I would firstly suggest binding an acl inbound on your inside interface. That will require some thought given the impact. That would however let you dictate which hosts can communicate outbound accordingly.

You should also be able to create an appropriate access-list and bind that to your nat 10 statment instead of using

nat (inside) 10 0.0.0.0 0.0.0.0

The acl could permit the allowed pptp explicity and then deny any other connection (pptp). Remembering to allow the other nat connections you would want.

Have you tried binding an acl to NAT 10?

kpoon · ‎07-04-2007

I have but I hadn't been able to get it work yet. It cut off all other internet connections such as HTTP access.

But I will take your suggestion. Could you provide example commands to do so?

Another issue is that we can't get ftp connection going to the internet.

acomiskey · ‎07-04-2007

I would not restrict the access with nat. An access list is the proper way to filter the traffic.

access-list inside permit tcp any host 88.88.88.88 eq pptp

access-list inside permit tcp any host 89.89.89.89 eq pptp

access-list inside deny tcp any any eq pptp

access-list inside permit ip any any

access-group inside in interface inside

kpoon · ‎07-04-2007

as soon as i do that, it stops the smtp from working.

And I haven't been able to connect to any ftp on the internet.

acomiskey · ‎07-04-2007

As soon as you do what? Add the acl?

Adding that acl should make neither of those things occur.

kpoon · ‎07-04-2007

yes, as soon as I add the acl to the config above, it stops other traffics.

I've managed to add

access-list inside permit tcp any any eq http

access-list inside permit tcp any any eq https

access-group inside in interface inside

to solve the web access issue. but then we get email problem. And ftp never works since the beginning.

acomiskey · ‎07-04-2007

If you added the acl exactly as it appears above there would be no need to specifically allow http and https as the 2nd to last line is permit ip any any.

kpoon · ‎07-04-2007

Sorry my bad, thanks!

The only thing left for now is to enable outbound ftp from our lan.

would you know where the problem is?