unable to connect to VPN server with Port redirection

Unanswered Question
Aug 19th, 2008
User Badges:

Hi. I am trying to forward traffic to our VPN server. device is an ASA 5505 running v7.2


I have followed these directions from cisco that were taken from the URl:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml



I even tried to setup a VPN server on the asa, just to test, using a simple pre-shared key.


Here is my config

dns server-group DefaultDNS

domain-name *-

access-list outside_access_in extended permit gre any host x.x.x.26

access-list outside_access_in extended permit tcp any host x.x.x.26 eq pptp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN 192.168.0.40-192.168.0.45 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) x.x.x.26 192.168.0.20 netmask 255.255.255.255

access-group outside_access_in in interface outside

route inside 192.168.104.0 255.255.255.0 192.168.0.249 1

route inside 192.168.107.0 255.255.255.0 192.168.0.251 1

route outside 0.0.0.0 0.0.0.0 x.x.x.25 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.0.2 192.168.0.3

vpn-tunnel-protocol l2tp-ipsec

default-domain value *.com

username * password privilege 0

username * attributes

vpn-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

address-pool VPN

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

prompt hostname context

Cryptochecksum:xxx

: end

nyhq-asa00#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ghylandcit Wed, 08/20/2008 - 05:56
User Badges:

Sorry,


Yes I am using PPTP on a microsoft 2003 server setup for VPN. From what I gather, the only two two ports you need to worry about are tcp pptp(1723) and IP GRE(47). I can connect to the server from a computer when i try inside, and it works fine. its just that ports don't seem to be forwarding. I tried to just forward 3389(remote desktop) to another server, and I still had an issue. I have done this succesfully on an older pix, but this is my first time with an ASA.

acomiskey Wed, 08/20/2008 - 07:19
User Badges:
  • Green, 3000 points or more

Is x.x.x.26 also your outside interface address? If so, change


static (inside,outside) x.x.x.26 192.168.0.20 netmask 255.255.255.255


to


static (inside,outside) interface 192.168.0.20 netmask 255.255.255.255

Actions

This Discussion