12-10-2007 01:30 PM - edited 03-11-2019 04:41 AM
I have an odd issue with with my VPN setup. I'm using a Windows 2000 server as a VPN server, it sits behind an ASA 5510. All of my users can get in fine in their normal use, generally remotely connecting over DSL. However I often get reports of failure when people try to VPN from hotels. I'm thinking there is some sort of filtering or nat transparency issue happening on the hotel side, but I never have a user at a given hotel long enough for troubleshooting to happen. I don't want a windows box outside of the firewall, but I would like to elimate some user headaches. Anything else I can do to eliminate ASA interference? Here is my pertinent config:
!
name 192.168.1.10 VPN
!
!
interface Ethernet0/0
nameif ORG-Inside
security-level 100
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
!
interface Ethernet0/1
nameif ORG-DMZ
security-level 50
ip address 192.168.2.2 255.255.255.0 standby 192.168.2.3
!
interface Ethernet0/2
nameif ORG-Outside
security-level 0
ip address xx.yy.zz.125 255.255.255.192 standby xx.yy.zz.126
!
!
access-list ORG-Outside_access_in extended permit gre any host xx.yy.zz.100
access-list ORG-Outside_access_in extended permit tcp any host xx.yy.zz.100 eq pptp
access-group ORG-Outside_access_in in interface ORG-Outside
!
static (ORG-Inside, ORG-Outside) xx.yy.zz.100 VPN netmask 255.255.255.255
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns migrated_dns_map_2
inspect pptp
!
service-policy global_policy global
!
12-10-2007 04:50 PM
Hello.
I've had a customer having issue with windows VPN and pptp inspection was not enabled. Enabled it resolved the issue.
You could try disabling pptp inspection. Conversely you could terminate the pptp to the firewall.
HTH
12-10-2007 04:59 PM
I'll check/try that. As for terminating to the ASA, I like being able to define access via Active Directory Global Groups. I'm not sure how smoothly I can integrate with AD on the ASA, or what other benefit there would be in switching. Windows VPN services are so easy to setup and maintain(for a Windows server guy), there would have to be some compelling reasons to switch.
12-10-2007 05:08 PM
Let me know how you go.
You would be able to point your asa to an radius (IAS) server and define/restrict access via a policy based on groups etc.
The only compelling reasons I can come up with are around the overall design and being able to restrict access to resources via the firewall.
Again the design of this could be achieved soley on the placement of your windows vpn server.
Does it let you restrict access to specific protocols and applications via subnets/hosts?
T
12-10-2007 05:14 PM
Yes it does. I can't speak to performance(no comparative testing), but RRAS is actually a pretty flexible and intuitive part of Windows server. Access profiles can restrict based on network address, protocol, physical connection type.
I also only average about 4-5 VPN users at any given time, so for all I know the server might die if 50 people were having to connect simultaneously. That might be the Windows catch.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: