Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1559
Views
0
Helpful
10
Replies

ASA 5510 not allowing PPTP traffic from inside device to external server

graham.fleming
Level 1
Level 1

‎01-26-2009 12:27 PM - last edited on ‎03-25-2019 05:41 PM by Community Manager

Hey Guys,

So I've tried everything to get this to work with no joy. I'm hoping someone out here can help me.

Essentially we have inside clients running XP and Vista using the PPTP client to connect to a VPN server outside. The connections always fail (but are successful from other networks).

The log entries are:

4 Jan 26 2009 11:41:40 713903 IP = 216.13.201.234, Information Exchange processing failed

5 Jan 26 2009 11:41:40 713904 IP = 216.13.201.234, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

3 Jan 26 2009 11:41:40 106100 192.168.111.66 216.13.201.234 access-list Inside_access_in permitted tcp Inside/192.168.111.66(1375) -> Outside/216.13.201.234(1723) hit-cnt 1 first hit [0x7001adbb, 0xeac55bde]

4 Jan 26 2009 11:39:24 713903 IP = 216.13.201.234, Error: Unable to remove PeerTblEntry

3 Jan 26 2009 11:39:24 713902 IP = 216.13.201.234, Removing peer from peer table failed, no match!

4 Jan 26 2009 11:38:52 713903 IP = 216.13.201.234, Information Exchange processing failed

Please see the attached running config.

Thanks guys!

Labels:
Preview file
18 KB
0 Helpful
10 Replies 10

Ivan Martinon
Level 7
Level 7

‎01-26-2009 12:47 PM

By other networks, you mean other networks behind the ASA or other networks outside the ASA? Go ahead and increase the log on your ASA since it does not show that there is something wrong on the specific log.

0 Helpful

graham.fleming
Level 1
Level 1
In response to Ivan Martinon

‎01-26-2009 12:48 PM

By other networks I mean other networks not behind the ASA.

And that log output is showing all log messages up to level 7. Are you sure those messages on the log output aren't problematic?

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to graham.fleming

‎01-26-2009 12:51 PM

The only log that shows reference to a PPTP connection is the following:

3 Jan 26 2009 11:41:40 106100 192.168.111.66 216.13.201.234 access-list Inside_access_in permitted tcp Inside/192.168.111.66(1375) -> Outside/216.13.201.234(1723) hit-cnt 1 first hit [0x7001adbb, 0xeac55bde]

The rest of the lines are related to a vpn connection not being established.

0 Helpful

graham.fleming
Level 1
Level 1
In response to Ivan Martinon

‎01-26-2009 12:54 PM

Those messages all appear with the connection attempt, though. They aren't a separate issue. Everytime the client tries to connect, those 5 messages appear in the log.

Should I try turning off PPTP inspection maybe?

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to graham.fleming

‎01-26-2009 01:00 PM

I don't think you should do that, do you recognize this ip address 216.13.201.234? is that the server's ip address?

0 Helpful

graham.fleming
Level 1
Level 1
In response to Ivan Martinon

‎01-26-2009 01:07 PM

Yes, that's the server IP.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to graham.fleming

‎01-26-2009 01:13 PM

Odd..Does this happen to all the clients that try this connection behind this ASA? It seems as if the ASA was intercepting this connection and using it for itself, can you try again this connection and while doing this go ahea and get the "show conn " and "show local-host " when this occur?

Client ip is the workstation ip address you are trying from.

If possible go ahead and remove the Crypto map from outside interface while trying this too.

0 Helpful

sdoremus33
Level 3
Level 3

‎01-26-2009 01:14 PM

What I think is happening is you have the following config for Nat cntrl

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 access-list Inside_nat_outbound

nat (management) 101 0.0.0.0 0.0.0.0

and with this statement

access-list Outside_access_in extended permit tcp any host access-list Outside_access_in extended permit tcp any host 216.13.201.234 eq pptp

basically permits any outside (src) traffic to access the dst 216.13.201.234, but then your static

static (Inside,Outside) tcp interface pptp 192.168.111.224 pptp netmask 255.255.255.255

is using the interface as outside address to 192.168.111.224, and the rproblem is that the interface ip address is noy in the same subnet as your destination address

Interface address = 216.13.219.142 255.255.255.248 while your acl dst is 216.13.201.234.HTH

0 Helpful

graham.fleming
Level 1
Level 1
In response to sdoremus33

‎01-26-2009 02:04 PM

Thanks for this info. Wouldn't

static (Inside,Outside) tcp interface pptp 192.168.111.224 pptp netmask 255.255.255.255

be used for incoming PPTP connections to .224?

We are concerned with outgoing connections here to external PPTP servers. I removed that static NAT with no change.

Any other suggestions?

Thank you!!

0 Helpful

sdoremus33
Level 3
Level 3
In response to graham.fleming

‎01-26-2009 07:30 PM

My apologies, I misread the post and thought this issue was with incoming connections to .224

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card