Problems allowing VPN connections

Answered Question
Aug 12th, 2010
User Badges:

Good morning!


Sorry but I am not very networking related, and after checking more posts, and made changes after recommendations, cannot get it to work.


I am trying to configure my ASA 5505 to be able to accept incoming request to the port 1723 and being forwarded to our Windows VPN connection.


The scenario is the following:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.202 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.244.*.* 255.255.255.224


The VPN machine has 192.168.1.211.


I created the security policies:


access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list outside_access_in extended permit icmp host 94.185.144.62 any
access-list outside_access_in extended permit object-group TCPUDP any host 83.244.*.* object-group DM_INLINE_TCPUDP_1
access-list outside_access_in extended permit tcp any host 83.244.*.* eq 1111
access-list outside_access_in extended permit tcp any host 83.244.*.* eq 3389
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit tcp any 83.244.*.* 255.255.255.224 eq pptp
access-list outside_access_in extended permit gre any 83.244.*.* 255.255.255.224

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.17.0.0 255.255.0.0


According to this, I permit traffic to the port 1723 and the GRE service for the PPTP.


After that, I created the NAT:


global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.1.0 255.255.255.0
static (outside,inside) tcp 192.168.1.203 3389 83.244.*.* 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.1.211 pptp netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.211 pptp 83.244.*.* pptp netmask 255.255.255.255
access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 83.244.*.* 1


I created 2 different static NAT because I don't really know which one is the valid one.


We use also the ASA as a DHCP server


dhcpd auto_config outside
dhcpd option 4 ip 130.88.200.4
dhcpd option 156 ascii ftpservers=192.168.1.203
!
dhcpd address 192.168.1.1-192.168.1.199 inside
dhcpd dns 192.168.1.212 192.168.1.219 interface inside
dhcpd enable inside


The VPN is working correctly from the inside network, but cannot access from outside...


I spent many days reading Cisco articles and change the configuration many times, but no joy...
Can anybody help me with this?


Thanks a lot!


Have a nice day!
Regards,

rob

Correct Answer by Jennifer Halim about 6 years 10 months ago

Did you also "clear xlate" after removing the static NAT?


Also where is it failing?


Does TCP/1723 connect? and GRE is failing? or none are working?

Have you tried to telnet on port 1723 from the outside towards the public ip address of the ASA firewall?


Your static NAT uses the ASA outside interface ip address, can you try to use a spare public ip address that you have instead?


You would need to configure the following:

static (inside,outside) 83.244.x.x 192.168.1.211 netmask 255.255.255.255


Then "clear xlate" and test it again. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Thu, 08/12/2010 - 04:49
User Badges:
  • Cisco Employee,

You might want to remove the following line:

static (outside,inside) tcp 192.168.1.211 pptp 83.244.*.* pptp netmask 255.255.255.255


And also add "inspect pptp" under your global policy.

robertovd Thu, 08/12/2010 - 05:57
User Badges:

Thank you for your prompt response, but didn't make the trick
I removed the static NAT and enabled the PPTP inspection but no joy...


From the clients, I get a 800 error. I am investigating it


Thank you for your help!


Regards

Correct Answer
Jennifer Halim Thu, 08/12/2010 - 06:04
User Badges:
  • Cisco Employee,

Did you also "clear xlate" after removing the static NAT?


Also where is it failing?


Does TCP/1723 connect? and GRE is failing? or none are working?

Have you tried to telnet on port 1723 from the outside towards the public ip address of the ASA firewall?


Your static NAT uses the ASA outside interface ip address, can you try to use a spare public ip address that you have instead?


You would need to configure the following:

static (inside,outside) 83.244.x.x 192.168.1.211 netmask 255.255.255.255


Then "clear xlate" and test it again. Thanks.

robertovd Thu, 08/12/2010 - 06:17
User Badges:

Thanks again!

I cannot put a different public IP address because the firewall is connected to the firewall of the building. In the building firewall is already opened the port 1723 and allowing GRE protocol and forwarded to the outside interface ip address of the Cisco (83.244.*.*)


I tried to telnet the ip address on the port 1723 but seems that cannot connect, however, doing a port scanning on that ip address shows the port open.


Also, after deleting the static nat, I executed the clear xlate.


Thanks a lot!


Regards

robertovd Thu, 08/12/2010 - 08:10
User Badges:

I am trying the pptp-ping tool and seems that I am having some problems with the GRE/PPTP packets...

Will try to first solve this issue


Thanks a lot

robertovd Fri, 08/13/2010 - 00:16
User Badges:

Thanks a lot halijenn. I had a problem with the PPTP and GRE traffic. Now it is working fine.


Regards


Robert

Actions

This Discussion