Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cannot access internal PPTP Server!

Hi All, pulling my hair out on this one...  We have an internal PPTP server that works fine when I access it via internal subnet.  However, I cannot get access from an external IP via our ASA 5505.  I've tried enabling/disabling PPTP Fixup as well as many different config changes, but it will not work.  I even upgraded from 8.4.5 to 9.1.4.  I also called the PPTP server vendor and they said that there's nothing special needed for their pptp server so I'm stumped.  Debug doesn't show anything too descriptive.  The last line says teardown GRE connection and then the windows vpn client says it could not connect.  

The pertinent current config is below, am I missing anything obvious?  Thanks!

--------------------------------------------------

ASA Version 9.1(4)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 77.77.77.117 255.255.255.248
!
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network pptp-server
 host 192.168.0.3
object network Ext-IP-113
 host 77.77.77.113
object-group service DM_INLINE_SERVICE_1
 service-object gre
 service-object tcp destination eq pptp
 service-object udp destination eq isakmp
 service-object esp
access-list outside_access_in extended permit tcp any4 object pptp-server object-group DM_INLINE_TCP_1
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
nat (outside,inside) source static any interface destination static Ext-IP-113 pptp-server
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 77.77.77.118 1
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect pptp
!
service-policy global_policy global
 

 

2 REPLIES
VIP Purple

What is the content of the

  1. What is the content of the object-group "DM_INLINE_TCP_1"? I don't see that in the config.
  2. I would configure the NAT in the more traditional way instead of the destination-style you are using:

object network pptp-server
  host 192.168.0.3
  nat (inside,outside) static Ext-IP-113

 

And consider to migrate to SSL or IPsec VPNs. PPTP is not state of the art any more and in a security-sensitive environment I would consider PPTP more or less as cleartext.

 

New Member

Hi Karsten, I considered

Hi Karsten, I considered using the ASA to teminate VPN, but the person requesting this is doing a special project that involves a Tripp Lite Console server, which includes a pptp vpn server.  I'll ask if we can instead terminate vpn access at ASA.  Also, I somehow left that info out while cleaning the config.  I have a few other ports open to this console server that can be closed if the vpn worked.  Thanks!   >

 

object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network pptp-server
 host 192.168.0.3
object network Ext-IP-113
 host 77.77.77.113
object-group service Console-Range-2 tcp
 port-object range 2001 2016
 port-object range 3001 3016
object-group service DM_INLINE_TCP_1 tcp
 group-object Console-Range-2
 port-object eq https
 port-object eq ftp
 port-object eq ssh
object-group service DM_INLINE_SERVICE_1
 service-object gre
 service-object tcp destination eq pptp
 service-object udp destination eq isakmp
 service-object esp
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object pptp-server
access-list outside_access_in extended permit tcp any4 object pptp-server object-group DM_INLINE_TCP_1

 

 

EDIT:  Karsten, as an update, I tried removing the current NAT and tried your suggestion, but no luck and it actually broke https access to the internal server so I put it back the way it was.  I also noticed this in the config >

"

Warning: All traffic destined to the ip address of the inside interface is being redirected

Warning: Users may not be able to access any service enabled on the inside interface

"

What exactly does this mean? 

151
Views
0
Helpful
2
Replies
CreatePlease to create content