Migrate PIX to ASA - PPTP quits working

Unanswered Question
Apr 29th, 2009

I'm trying to migrate our company's PIX over to an ASA and am having a terrible time getting PPTP VPN to work. I've checked my work against Cisco's PPTP doc (18806) and it looks right everytime I check.

Some of our employees connect from home to VPN on the Outside interface and are passed through to the MS PPTP server sitting on the Inside interface.

Here're the relevant PIX portions:

access-list outside_access_in permit tcp any host x.x.x.226 eq pptp

access-list outside_access_in permit gre any host x.x.x.226

static (inside,outside) x.x.x.226 y.y.y.50 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

fixup protocol pptp 1723

Here's the relevant ASA config:

static (inside,outside) x.x.x.226 y.y.y.50 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host x.x.x.226 eq pptp

access-list outside_access_in extended permit gre any host x.x.x.226

access-group outside_access_in in interface outside

policy-map global_policy

class inspection_default

inspect pptp

In the ASDM status window, I notice the following when the VPN client is trying to connect to the server:

6|Apr 29 2009|12:03:23|302014|x.x.x.241|21304|y.y.y.50|1723|Teardown TCP connection 138 for outside:x.x.x.241/21304 to inside:y.y.y.50/1723 duration 0:00:30 bytes 0 SYN Timeout

6|Apr 29 2009|12:02:53|302013|x.x.x.241|21304|y.y.y.50|1723|Built inbound TCP connection 138 for outside:x.x.x.241/21304 (x.x.x.241/21304) to inside:y.y.y.50/1723 (x.x.x.229/1723)

This suggests to me that I've got the config at least partially correct, but I have no idea what I've done wrong.

Any suggestions or corrections would be muchly appreciated,

Greg

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion