06-21-2014 05:06 AM - edited 03-11-2019 09:21 PM
Hi all,
I have a simple setup with a dsl modem (interface xxx.xxx.xxx.96/29) in front of an ASA5505 and a couple of servers on the inside network. Currently, I need to be able to connect via vpn to one internal server, but my setup is not working correctly. I have followed every instruction I could find here without success and I am therefore adding this question.
Could somebody please advice me how to proceed?
Thanks in advance!
Regards,
/Micael
The relevant logs:
6 Jun 21 2014 13:15:41 302013 90.231.136.212 51792 192.168.1.2 1723 Built inbound TCP connection 3502 for outside:90.231.136.212/51792 (90.231.136.212/51792) to inside:192.168.1.2/1723 (xxx.xxx.xxx.98/1723)
6 Jun 21 2014 13:15:41 305011 192.168.1.2 9260 xxx.xxx.xxx.98 10140 Built dynamic GRE translation from inside:192.168.1.2/9260 to outside:xxx.xxx.xxx.98/10140
6 Jun 21 2014 13:15:41 305011 192.168.1.2 1723 xxx.xxx.xxx.98 48506 Built dynamic GRE translation from inside:192.168.1.2/1723 to outside:xxx.xxx.xxx.98/48506
6 Jun 21 2014 13:15:41 302017 90.231.136.212 192.168.1.2 9260 Built inbound GRE connection 3503 from outside:90.231.136.212 (90.231.136.212) to inside:192.168.1.2/9260 (xxx.xxx.xxx.98/10140)
6 Jun 21 2014 13:16:21 302014 90.231.136.212 51792 192.168.1.2 1723 Teardown TCP connection 3502 for outside:90.231.136.212/51792 to inside:192.168.1.2/1723 duration 0:00:39 bytes 748 TCP FINs
6 Jun 21 2014 13:16:21 302018 192.168.1.2 90.231.136.212 32772 Teardown GRE connection 3504 from inside:192.168.1.2 to outside:90.231.136.212/32772 duration 0:00:39 bytes 820
6 Jun 21 2014 13:16:21 302018 90.231.136.212 192.168.1.2 9260 Teardown GRE connection 3503 from outside:90.231.136.212 to inside:192.168.1.2/9260 duration 0:00:39 bytes 210
My config:
: Saved
:
ASA Version 8.3(1)
!
hostname Test-ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.98 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network server
host 192.168.1.2
description server
object network server-pptp
host 192.168.1.2
object-group service acl-svc-grp-2server tcp
port-object eq pptp
access-list outside_access_in extended permit tcp any object server object-group acl-svc-grp-2server
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network server-pptp
nat (inside,outside) static interface service tcp pptp pptp
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 192.168.1.121 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username micael password ZzvqnzERi4vjZ7Ns encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:373b23b5c306c8bd2dcc2324fdd19299
: end
no asdm history enable
Solved! Go to Solution.
06-21-2014 01:39 PM
You could try a packet capture on the ASA on the inside and outside interface for traffic between the two machines. not sure if you will get much more info there, but could be worth looking at.
Other than that, have you also looked at the logs on the PPTP server? perhaps there is something in there that might indicate what is going wrong.
--
Please remember to select a correct answer and rate helpful posts
06-21-2014 10:35 AM
Hi,
PPTP requires 1723 & GRE to be allowed to make this work in bidirectional way.
Inspect PPTP is required and you already have that. So try to allow gre as well to the server.
Also can you try correcting your ACL with public IP as destination where you mentioned real ip of the server.
With respect to NAT you have configured it correctly.
HTH
Regards
Karthik
06-21-2014 11:09 AM
In ASA 8.3 and later you do not need to include GRE...just the PPTP port. You might want to try changing the ACL to the following.
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq 1723
access-group outside_access_in in interface outside
--
Please remember to select a correct answer and rate helpful posts
06-21-2014 11:42 AM
Thanks for the suggestion, but it gives me the same result.
Could you elaborate a bit on how this could be different from my acl?
The packet traces (outside, 90.231.36.212:1723 192.168.1.2:1723) gives me the error message: (acl-drop) Flow is denied by configured rule
Any other suggestions?
Regards,
/Micael
06-21-2014 12:53 PM
What source and destination port are you using for the packet tracer?
Also, what source IP and destination IP did you use and what was the source interface?
When doing the packet tracer the destination IP should be the public IP that the server is NATed to, If you used the private IP then that might be the reason for the RFP error.
The ACL is essentially the same as the one you had, but I was thinking that the ASA might have had issues...for whatever reason...matching on that ACL.
Your configuration looks correct. Have you considered that the issue might be on the PPTP server?
--
Please remember to select a correct answer and rate helpful posts
06-21-2014 01:29 PM
Thank you for taking your time with this!
I was trying to write short-hand notation... 192.168.1.2:1723, i.e. port 1723, but you are of course correct, it should be the public IP, and then I get a correct trace.
Nevertheless, the vpn-connection starts-up, as can be seen in the logs in my original post, but then get's stuck in the "verifying user name and password".
Can I get more information from the log?
I have no issues with the vpn-connection when I by-pass the firewall.
06-21-2014 01:39 PM
You could try a packet capture on the ASA on the inside and outside interface for traffic between the two machines. not sure if you will get much more info there, but could be worth looking at.
Other than that, have you also looked at the logs on the PPTP server? perhaps there is something in there that might indicate what is going wrong.
--
Please remember to select a correct answer and rate helpful posts
06-21-2014 02:37 PM
Ok, I will look more closely into the logs on the pptp-server and get back to you tomorrow; its getting late in Sweden!
06-22-2014 09:14 AM
So, here comes my update.
After a "write erase" and "reload" without "Pre-configure..", followed by a new setup from scratch at the site, solved the issues.
I cannot really tell what was the reason it didn't work yesterday, but it might have been related to the 4G-modem I was connecting my client from, or the NAT I was using in my vmware-client-setup.
Thank you very much for the suggestions!
Regards,
/Micael
06-22-2014 12:36 PM
Interesting...Glad you got it working. And thanks for the rating
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: