Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5510 not allowing PPTP traffic from inside device to external server

Hey Guys,

So I've tried everything to get this to work with no joy. I'm hoping someone out here can help me.

Essentially we have inside clients running XP and Vista using the PPTP client to connect to a VPN server outside. The connections always fail (but are successful from other networks).

The log entries are:

4 Jan 26 2009 11:41:40 713903 IP = 216.13.201.234, Information Exchange processing failed

5 Jan 26 2009 11:41:40 713904 IP = 216.13.201.234, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

3 Jan 26 2009 11:41:40 106100 192.168.111.66 216.13.201.234 access-list Inside_access_in permitted tcp Inside/192.168.111.66(1375) -> Outside/216.13.201.234(1723) hit-cnt 1 first hit [0x7001adbb, 0xeac55bde]

4 Jan 26 2009 11:39:24 713903 IP = 216.13.201.234, Error: Unable to remove PeerTblEntry

3 Jan 26 2009 11:39:24 713902 IP = 216.13.201.234, Removing peer from peer table failed, no match!

4 Jan 26 2009 11:38:52 713903 IP = 216.13.201.234, Information Exchange processing failed

Please see the attached running config.

Thanks guys!

10 REPLIES

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

By other networks, you mean other networks behind the ASA or other networks outside the ASA? Go ahead and increase the log on your ASA since it does not show that there is something wrong on the specific log.

Community Member

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

By other networks I mean other networks not behind the ASA.

And that log output is showing all log messages up to level 7. Are you sure those messages on the log output aren't problematic?

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

The only log that shows reference to a PPTP connection is the following:

3 Jan 26 2009 11:41:40 106100 192.168.111.66 216.13.201.234 access-list Inside_access_in permitted tcp Inside/192.168.111.66(1375) -> Outside/216.13.201.234(1723) hit-cnt 1 first hit [0x7001adbb, 0xeac55bde]

The rest of the lines are related to a vpn connection not being established.

Community Member

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

Those messages all appear with the connection attempt, though. They aren't a separate issue. Everytime the client tries to connect, those 5 messages appear in the log.

Should I try turning off PPTP inspection maybe?

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

I don't think you should do that, do you recognize this ip address 216.13.201.234? is that the server's ip address?

Community Member

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

Yes, that's the server IP.

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

Odd..Does this happen to all the clients that try this connection behind this ASA? It seems as if the ASA was intercepting this connection and using it for itself, can you try again this connection and while doing this go ahea and get the "show conn " and "show local-host " when this occur?

Client ip is the workstation ip address you are trying from.

If possible go ahead and remove the Crypto map from outside interface while trying this too.

Community Member

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

What I think is happening is you have the following config for Nat cntrl

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 access-list Inside_nat_outbound

nat (management) 101 0.0.0.0 0.0.0.0

and with this statement

access-list Outside_access_in extended permit tcp any host access-list Outside_access_in extended permit tcp any host 216.13.201.234 eq pptp

basically permits any outside (src) traffic to access the dst 216.13.201.234, but then your static

static (Inside,Outside) tcp interface pptp 192.168.111.224 pptp netmask 255.255.255.255

is using the interface as outside address to 192.168.111.224, and the rproblem is that the interface ip address is noy in the same subnet as your destination address

Interface address = 216.13.219.142 255.255.255.248 while your acl dst is 216.13.201.234.HTH

Community Member

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

Thanks for this info. Wouldn't

static (Inside,Outside) tcp interface pptp 192.168.111.224 pptp netmask 255.255.255.255

be used for incoming PPTP connections to .224?

We are concerned with outgoing connections here to external PPTP servers. I removed that static NAT with no change.

Any other suggestions?

Thank you!!

Community Member

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

My apologies, I misread the post and thought this issue was with incoming connections to .224

1233
Views
0
Helpful
10
Replies
CreatePlease to create content