Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows VPN Server behind ASA 5510

I have an odd issue with with my VPN setup. I'm using a Windows 2000 server as a VPN server, it sits behind an ASA 5510. All of my users can get in fine in their normal use, generally remotely connecting over DSL. However I often get reports of failure when people try to VPN from hotels. I'm thinking there is some sort of filtering or nat transparency issue happening on the hotel side, but I never have a user at a given hotel long enough for troubleshooting to happen. I don't want a windows box outside of the firewall, but I would like to elimate some user headaches. Anything else I can do to eliminate ASA interference? Here is my pertinent config:


name VPN



interface Ethernet0/0

nameif ORG-Inside

security-level 100

ip address standby


interface Ethernet0/1

nameif ORG-DMZ

security-level 50

ip address standby


interface Ethernet0/2

nameif ORG-Outside

security-level 0

ip address xx.yy.zz.125 standby xx.yy.zz.126



access-list ORG-Outside_access_in extended permit gre any host xx.yy.zz.100

access-list ORG-Outside_access_in extended permit tcp any host xx.yy.zz.100 eq pptp

access-group ORG-Outside_access_in in interface ORG-Outside


static (ORG-Inside, ORG-Outside) xx.yy.zz.100 VPN netmask



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns migrated_dns_map_2


message-length maximum 2048

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect dns migrated_dns_map_2

inspect pptp


service-policy global_policy global


New Member

Re: Windows VPN Server behind ASA 5510


I've had a customer having issue with windows VPN and pptp inspection was not enabled. Enabled it resolved the issue.

You could try disabling pptp inspection. Conversely you could terminate the pptp to the firewall.


New Member

Re: Windows VPN Server behind ASA 5510

I'll check/try that. As for terminating to the ASA, I like being able to define access via Active Directory Global Groups. I'm not sure how smoothly I can integrate with AD on the ASA, or what other benefit there would be in switching. Windows VPN services are so easy to setup and maintain(for a Windows server guy), there would have to be some compelling reasons to switch.

New Member

Re: Windows VPN Server behind ASA 5510

Let me know how you go.

You would be able to point your asa to an radius (IAS) server and define/restrict access via a policy based on groups etc.

The only compelling reasons I can come up with are around the overall design and being able to restrict access to resources via the firewall.

Again the design of this could be achieved soley on the placement of your windows vpn server.

Does it let you restrict access to specific protocols and applications via subnets/hosts?


New Member

Re: Windows VPN Server behind ASA 5510

Yes it does. I can't speak to performance(no comparative testing), but RRAS is actually a pretty flexible and intuitive part of Windows server. Access profiles can restrict based on network address, protocol, physical connection type.

I also only average about 4-5 VPN users at any given time, so for all I know the server might die if 50 people were having to connect simultaneously. That might be the Windows catch.