Windows VPN Server behind ASA 5510

benhanson · ‎12-10-2007

I have an odd issue with with my VPN setup. I'm using a Windows 2000 server as a VPN server, it sits behind an ASA 5510. All of my users can get in fine in their normal use, generally remotely connecting over DSL. However I often get reports of failure when people try to VPN from hotels. I'm thinking there is some sort of filtering or nat transparency issue happening on the hotel side, but I never have a user at a given hotel long enough for troubleshooting to happen. I don't want a windows box outside of the firewall, but I would like to elimate some user headaches. Anything else I can do to eliminate ASA interference? Here is my pertinent config:

!

name 192.168.1.10 VPN

!

interface Ethernet0/0

nameif ORG-Inside

security-level 100

ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3

!

interface Ethernet0/1

nameif ORG-DMZ

security-level 50

ip address 192.168.2.2 255.255.255.0 standby 192.168.2.3

!

interface Ethernet0/2

nameif ORG-Outside

security-level 0

ip address xx.yy.zz.125 255.255.255.192 standby xx.yy.zz.126

!

access-list ORG-Outside_access_in extended permit gre any host xx.yy.zz.100

access-list ORG-Outside_access_in extended permit tcp any host xx.yy.zz.100 eq pptp

access-group ORG-Outside_access_in in interface ORG-Outside

!

static (ORG-Inside, ORG-Outside) xx.yy.zz.100 VPN netmask 255.255.255.255

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_2

parameters

message-length maximum 2048

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect dns migrated_dns_map_2

inspect pptp

!

service-policy global_policy global

!

timkaye · ‎12-10-2007

Hello.

I've had a customer having issue with windows VPN and pptp inspection was not enabled. Enabled it resolved the issue.

You could try disabling pptp inspection. Conversely you could terminate the pptp to the firewall.

HTH

benhanson · ‎12-10-2007

I'll check/try that. As for terminating to the ASA, I like being able to define access via Active Directory Global Groups. I'm not sure how smoothly I can integrate with AD on the ASA, or what other benefit there would be in switching. Windows VPN services are so easy to setup and maintain(for a Windows server guy), there would have to be some compelling reasons to switch.

timkaye · ‎12-10-2007

Let me know how you go.

You would be able to point your asa to an radius (IAS) server and define/restrict access via a policy based on groups etc.

The only compelling reasons I can come up with are around the overall design and being able to restrict access to resources via the firewall.

Again the design of this could be achieved soley on the placement of your windows vpn server.

Does it let you restrict access to specific protocols and applications via subnets/hosts?

T

benhanson · ‎12-10-2007

Yes it does. I can't speak to performance(no comparative testing), but RRAS is actually a pretty flexible and intuitive part of Windows server. Access profiles can restrict based on network address, protocol, physical connection type.

I also only average about 4-5 VPN users at any given time, so for all I know the server might die if 50 people were having to connect simultaneously. That might be the Windows catch.