cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6102
Views
0
Helpful
12
Replies

ASA Blocking VPN access

Eggzter100
Level 1
Level 1

Hi all,

I've set up a client to site vpn using Windows XP client which works fine when connecting wirelessly via a Vodafone dongle. I have just installed a new ASA 5510 in a brand new branch office network. When connecting through the ASA from the new network, it tries to verify and then I get a 619 error and cannot connect. I have added a rule to the ouside interface coming in. What do I need to do to let it authenticate?

Regards

Egg

1 Accepted Solution

Accepted Solutions

Can you check if inspect pptp is enabled under the global policy map, although I think that maybe if you were connecting to a pptp server on the outside from the inside, and since you have an outside acl then it should work. Try setting the logging level to debug and check the logs to see if anything weird is happening. In any case give the following link a check.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

View solution in original post

12 Replies 12

Jennifer Halim
Cisco Employee
Cisco Employee

What VPN client are you using? Is this IPSec VPN Client or SSL VPN Client? or other type of client (PPTP client)?

Also just want to double check that the VPN connection is passing through the ASA, not terminating on the ASA?

If it's passing through the ASA, and assuming you have configured static NAT, please advise what access-list you have configured to allow access.

I'm just using the Windows XP PPTP client passing through the ASA conecting to a Watchguard FireBox. I have configured NAT as type Dynamic, source any, interface outside, address outside. I have set up an access-list (outside incoming) allowing the remote network to the internal network for IP and the default inside any IP to any less secure networks.

Can you check if inspect pptp is enabled under the global policy map, although I think that maybe if you were connecting to a pptp server on the outside from the inside, and since you have an outside acl then it should work. Try setting the logging level to debug and check the logs to see if anything weird is happening. In any case give the following link a check.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Well, what do you mean by you configure dynamic NAT on the outside? That will not work.

Assuming that the connection is inbound from outside to inside (low to high security level), you would need to configure static translation.

For example:

If your PPTP server ip is 10.1.1.1, and translated to 200.1.1.1, you should configure the following:

static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255

access-list outside permit tcp any host 200.1.1.1 eq 1723

access-group outside in interface outside

Then add "inspect pptp" in your global policy map as KWillacey advised earlier.

Hope that helps.

Sorry, to clarify, I'm using ASA ver 8.2(1). I have set up my nat as follows:

nat (inside) 101 0.0.0.0 0.0.0.0

global (outside) 101 interface

Do I need to set up a static nat as well?

Yes, you definitely need a static NAT for the PPTP server.

It's a bit slow but all is working now after adding inspect pptp to the global_policy. According to the link posted earlier, you do not need to define a static mapping because the ASA 8.0 now inspects PPTP traffic. You can use PAT or define a static mapping. Thanks for all your help.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Commands to Add for Versions 7.x and 8.0 using inspection

Complete these steps to add commands for versions 7.x and 8.0 using the inspect command:

  1. Add PPTP inspection to the default policy-map using the default class-map.

    pixfirewall(config)#policy-map global_policy
    
    pixfirewall(config-pmap)#class inspection_default
    
    pixfirewall(config-pmap-c)#inspect pptp
    
  2. You do not need to define a static mapping because the PIX now inspects PPTP traffic. You can use PAT.

    pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    
    pixfirewall(config)#global (outside) 1 interface
    

    OR

Commands to Add for Versions 7.x and 8.0 using ACL

Complete these steps to add commands for versions 7.x and 8.0 using ACL.

  1. Define the static mapping for the inside PC. The address seen on the outside is 192.168.201.5.

    pixfirewall(config)#static (inside,outside) 192.168.201.5  10.48.66.106
                          netmask 255.255.255.255 0 0
    
  2. Configure and apply the ACL to permit the GRE return traffic from the PPTP server to the PPTP client.

    pixfirewall(config)#access-list acl-out permit gre host 192.168.201.25 
                          host 192.168.201.5 
    pixfirewall(config)#access-list acl-out permit tcp host 192.168.201.25 
                          host 192.168.201.5 eq 1723
    
  3. Apply the ACL.

    pixfirewall(config)#access-group acl-out in interface outside

Correct for outbound PPTP connection. For inbound PPTP connection, you would still need to configure static NAT.

Hi,

Outbound PPTP is not working with below mentioned config..Do I need to add anything apart from this?

pixfirewall(config)#policy-map global_policy

pixfirewall(config-pmap)#class inspection_default

pixfirewall(config-pmap-c)#inspect pptp

Regards

Kumar

Check the notes for PPTP inspection:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1432892

Are you getting any errors?

Federico.

Hi,

Thanks for immediate reponse....Where/how to check for errors? r u asking errors are getting on clinet/ASA side..

Regards

kumar

Yes,

You're saying that outbound PPTP is not working through the ASA.

Are you getting any messages either on the client or server side?

Is the PPTP server ''inside'' or ''outside'' the ASA?

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: