Unanswered Question
Mar 4th, 2008

I have two ASA that connect to the Internet. I don't do any static NATTING on my inside network. My users have been trying to establish a VPN session using Microsoft VPN but without much success.

First Firewall

ccess-list INSIDE line 244 extended permit tcp host x.x.x.x eq pptp (hitcnt=19)

access-list INSIDE line 246 extended permit gre host x.x.x.x (hitcnt=8)

access-list pptp_inspection line 5 extended permit ip host x.x.x.x(hitcnt=6)

class-map pptp

description Policy to allow hosts to PPTP

match access-list pptp_inspection

policy-map pptp

class pptp

inspect pptp

policy-map global_policy

class http-map1

set connection advanced-options mss-map

policy-map global-policy

class global-class

inspect icmp error

inspect snmp

inspect icmp

inspect ftp

inspect dns

inspect pptp

class http-map1

set connection advanced-options mss-map

The second firewall has pretty much the same configution.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tshi M Tue, 03/04/2008 - 13:06

I fixed it. Because of our complex environment, the GRE traffic were being blocked at various points (DMZ switches and Internet router)


This Discussion