Solved: Problems allowing VPN connections

robertovd · ‎08-12-2010

Good morning!

Sorry but I am not very networking related, and after checking more posts, and made changes after recommendations, cannot get it to work.

I am trying to configure my ASA 5505 to be able to accept incoming request to the port 1723 and being forwarded to our Windows VPN connection.

The scenario is the following:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.202 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.244.*.* 255.255.255.224

The VPN machine has 192.168.1.211.

I created the security policies:

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list outside_access_in extended permit icmp host 94.185.144.62 any
access-list outside_access_in extended permit object-group TCPUDP any host 83.244.*.* object-group DM_INLINE_TCPUDP_1
access-list outside_access_in extended permit tcp any host 83.244.*.* eq 1111
access-list outside_access_in extended permit tcp any host 83.244.*.* eq 3389
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit tcp any 83.244.*.* 255.255.255.224 eq pptp
access-list outside_access_in extended permit gre any 83.244.*.* 255.255.255.224
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.17.0.0 255.255.0.0

According to this, I permit traffic to the port 1723 and the GRE service for the PPTP.

After that, I created the NAT:

global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.1.0 255.255.255.0
static (outside,inside) tcp 192.168.1.203 3389 83.244.*.* 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.1.211 pptp netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.211 pptp 83.244.*.* pptp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.244.*.* 1

I created 2 different static NAT because I don't really know which one is the valid one.

We use also the ASA as a DHCP server

dhcpd auto_config outside
dhcpd option 4 ip 130.88.200.4
dhcpd option 156 ascii ftpservers=192.168.1.203
!
dhcpd address 192.168.1.1-192.168.1.199 inside
dhcpd dns 192.168.1.212 192.168.1.219 interface inside
dhcpd enable inside

The VPN is working correctly from the inside network, but cannot access from outside...

I spent many days reading Cisco articles and change the configuration many times, but no joy...
Can anybody help me with this?

Thanks a lot!

Have a nice day!
Regards,

rob

Jennifer Halim · ‎08-12-2010

Did you also "clear xlate" after removing the static NAT?

Also where is it failing?

Does TCP/1723 connect? and GRE is failing? or none are working?

Have you tried to telnet on port 1723 from the outside towards the public ip address of the ASA firewall?

Your static NAT uses the ASA outside interface ip address, can you try to use a spare public ip address that you have instead?

You would need to configure the following:

static (inside,outside) 83.244.x.x 192.168.1.211 netmask 255.255.255.255

Then "clear xlate" and test it again. Thanks.

View solution in original post

Jennifer Halim · ‎08-12-2010

You might want to remove the following line:

static (outside,inside) tcp 192.168.1.211 pptp 83.244.*.* pptp netmask 255.255.255.255

And also add "inspect pptp" under your global policy.

robertovd · ‎08-12-2010

Thank you for your prompt response, but didn't make the trick
I removed the static NAT and enabled the PPTP inspection but no joy...

From the clients, I get a 800 error. I am investigating it

Thank you for your help!

Regards

Jennifer Halim · ‎08-12-2010

Did you also "clear xlate" after removing the static NAT?

Also where is it failing?

Does TCP/1723 connect? and GRE is failing? or none are working?

Have you tried to telnet on port 1723 from the outside towards the public ip address of the ASA firewall?

Your static NAT uses the ASA outside interface ip address, can you try to use a spare public ip address that you have instead?

You would need to configure the following:

static (inside,outside) 83.244.x.x 192.168.1.211 netmask 255.255.255.255

Then "clear xlate" and test it again. Thanks.

robertovd · ‎08-12-2010

Thanks again!

I cannot put a different public IP address because the firewall is connected to the firewall of the building. In the building firewall is already opened the port 1723 and allowing GRE protocol and forwarded to the outside interface ip address of the Cisco (83.244.*.*)

I tried to telnet the ip address on the port 1723 but seems that cannot connect, however, doing a port scanning on that ip address shows the port open.

Also, after deleting the static nat, I executed the clear xlate.

Thanks a lot!

Regards

robertovd · ‎08-12-2010

I am trying the pptp-ping tool and seems that I am having some problems with the GRE/PPTP packets...

Will try to first solve this issue

Thanks a lot

robertovd · ‎08-13-2010

Thanks a lot halijenn. I had a problem with the PPTP and GRE traffic. Now it is working fine.

Regards

Robert