cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2274
Views
0
Helpful
9
Replies

vpn passthrough outside to inside asa 5505

micael.baudin
Level 1
Level 1

Hi all,

I have a simple setup with a dsl modem (interface xxx.xxx.xxx.96/29) in front of an ASA5505 and a couple of servers on the inside network. Currently, I need to be able to connect via vpn to one internal server, but my setup is not working correctly. I have followed every instruction I could find here without success and I am therefore adding this question.

Could somebody please advice me how to proceed?

Thanks in advance!

Regards,

/Micael

The relevant logs:

6    Jun 21 2014    13:15:41    302013    90.231.136.212    51792    192.168.1.2    1723    Built inbound TCP connection 3502 for outside:90.231.136.212/51792 (90.231.136.212/51792) to inside:192.168.1.2/1723 (xxx.xxx.xxx.98/1723)

6    Jun 21 2014    13:15:41    305011    192.168.1.2    9260    xxx.xxx.xxx.98    10140    Built dynamic GRE translation from inside:192.168.1.2/9260 to outside:xxx.xxx.xxx.98/10140

6    Jun 21 2014    13:15:41    305011    192.168.1.2    1723    xxx.xxx.xxx.98    48506    Built dynamic GRE translation from inside:192.168.1.2/1723 to outside:xxx.xxx.xxx.98/48506

6    Jun 21 2014    13:15:41    302017    90.231.136.212        192.168.1.2    9260    Built inbound GRE connection 3503 from outside:90.231.136.212 (90.231.136.212) to inside:192.168.1.2/9260 (xxx.xxx.xxx.98/10140)

6    Jun 21 2014    13:16:21    302014    90.231.136.212    51792    192.168.1.2    1723    Teardown TCP connection 3502 for outside:90.231.136.212/51792 to inside:192.168.1.2/1723 duration 0:00:39 bytes 748 TCP FINs

6    Jun 21 2014    13:16:21    302018    192.168.1.2        90.231.136.212    32772    Teardown GRE connection 3504 from inside:192.168.1.2 to outside:90.231.136.212/32772 duration 0:00:39 bytes 820

6    Jun 21 2014    13:16:21    302018    90.231.136.212        192.168.1.2    9260    Teardown GRE connection 3503 from outside:90.231.136.212 to inside:192.168.1.2/9260 duration 0:00:39 bytes 210

 

 

My config:

: Saved

:

ASA Version 8.3(1) 

!

hostname Test-ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.254 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address xxx.xxx.xxx.98 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 shutdown

!

interface Ethernet0/3

 shutdown

!

interface Ethernet0/4

 shutdown

!

interface Ethernet0/5

 shutdown

!

interface Ethernet0/6

 shutdown

!

interface Ethernet0/7

 shutdown

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object network server 

 host 192.168.1.2

 description server 

object network server-pptp 

 host 192.168.1.2

object-group service acl-svc-grp-2server tcp

 port-object eq pptp

access-list outside_access_in extended permit tcp any object server object-group acl-svc-grp-2server 

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

object network server-pptp

 nat (inside,outside) static interface service tcp pptp pptp 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL 

http server enable

http 192.168.1.121 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

 

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username micael password ZzvqnzERi4vjZ7Ns encrypted privilege 15

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect ip-options 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

  inspect xdmcp 

  inspect pptp 

!

service-policy global_policy global

prompt hostname context 

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:373b23b5c306c8bd2dcc2324fdd19299

: end

no asdm history enable

1 Accepted Solution

Accepted Solutions

You could try a packet capture on the ASA on the inside and outside interface for traffic between the two machines. not sure if you will get much more info there, but could be worth looking at.

Other than that, have you also looked at the logs on the PPTP server? perhaps there is something in there that might indicate what is going wrong.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

9 Replies 9

nkarthikeyan
Level 7
Level 7

Hi,

PPTP requires 1723 & GRE to be allowed to make this work in bidirectional way.

Inspect PPTP is required and you already have that. So try to allow gre as well to the server.

Also can you try correcting your ACL with public IP as destination where you mentioned real ip of the server.

With respect to NAT you have configured it correctly.

HTH

 

Regards

Karthik

In ASA 8.3 and later you do not need to include GRE...just the PPTP port. You might want to try changing the ACL to the following.

access-list outside_access_in extended permit tcp any host 192.168.1.2 eq 1723

access-group outside_access_in in interface outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thanks for the suggestion, but it gives me the same result.

Could you elaborate a bit on how this could be different from my acl?

The packet traces (outside, 90.231.36.212:1723 192.168.1.2:1723) gives me the error message: (acl-drop) Flow is denied by configured rule

Any other suggestions?

Regards,

/Micael

 
 
 
 
 
 
 
 
 
 
 

What source and destination port are you using for the packet tracer?

Also, what source IP and destination IP did you use and what was the source interface?

When doing the packet tracer the destination IP should be the public IP that the server is NATed to, If you used the private IP then that might be the reason for the RFP error.

The ACL is essentially the same as the one you had, but I was thinking that the ASA might have had issues...for whatever reason...matching on that ACL.

Your configuration looks correct.  Have you considered that the issue might be on the PPTP server?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thank you for taking your time with this!

I was trying to write short-hand notation... 192.168.1.2:1723, i.e. port 1723, but you are of course correct, it should be the public IP, and then I get a correct trace.

Nevertheless, the vpn-connection starts-up, as can be seen in the logs in my original post, but then get's stuck in the "verifying user name and password".

Can I get more information from the log?

I have no issues with the vpn-connection when I by-pass the firewall.

 

 
 
 
 
 
 
 
 
 
 
 

You could try a packet capture on the ASA on the inside and outside interface for traffic between the two machines. not sure if you will get much more info there, but could be worth looking at.

Other than that, have you also looked at the logs on the PPTP server? perhaps there is something in there that might indicate what is going wrong.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Ok, I will look more closely into the logs on the pptp-server and get back to you tomorrow; its getting late in Sweden!

So, here comes my update.

After a "write erase" and "reload" without "Pre-configure..", followed by a new setup from scratch at the site, solved the issues.

I cannot really tell what was the reason it didn't work yesterday, but it might have been related to the 4G-modem I was connecting my client from, or the NAT I was using in my vmware-client-setup.

Thank you very much for the suggestions!

Regards,

/Micael

 
 
 
 
 
 
 
 
 
 
 

Interesting...Glad you got it working.  And thanks for the rating smiley

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: