07-03-2007 09:20 AM - edited 02-21-2020 03:08 PM
We have an ASA and have inspect pptp enable. However, is there a way to allow the outgoing pptp connections from our LAN 192.168.0.0 to certain specific IP on the internet such as 88.88.88.88 and 89.89.89.89 thru ACL? Right now, users can connect to any PPTP VPN outside as they please.
I have tried with NAT with no luck
This is the error message I got before enable inspect pptp.
3|Jul 03 2007 13:36:33|305006: regular translation creation failed for protocol 47 src inside:192.168.1.199 dst outside:66.201.201.207
and this is our config (before inspect pptp):
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service ExchangeOWA tcp
description Exchange Web and Mobile Access
port-object eq smtp
port-object eq https
port-object eq www
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.222.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list dzm extended permit ip any any
access-list dzm extended permit icmp any any
access-list ouside extended permit ip any any
access-list cont_in extended permit ip host 66.66.66.135 any
access-list outside extended permit tcp any host 66.66.66.133 object-group ExchangeOWA
access-list outside extended permit tcp any host 66.66.66.137 eq pptp
access-list outside extended permit gre any host 66.66.66.137
access-list outside extended permit icmp any any echo-reply
access-list outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0
access-list Split_tunnel_ACL standard permit 192.168.0.0 255.255.0.0
access-list outside_cryptomap_80 extended permit ip 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.222.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool BBBB-pool 192.168.100.1-192.168.100.50 mask 255.255.255.0
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp 66.66.66.133 smtp 192.168.1.16 smtp netmask 255.255.255.255
static (inside,outside) tcp 66.66.66.133 www 192.168.1.16 www netmask 255.255.255.255
static (inside,outside) tcp 66.66.66.133 https 192.168.1.16 https netmask 255.255.255.255
static (inside,outside) 66.66.66.134 172.30.1.50 netmask 255.255.255.255
static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 66.66.66.129 1
route inside 192.168.1.0 255.255.255.0 192.168.10.2 1
route inside 172.30.1.0 255.255.255.0 192.168.10.2 1
route inside 172.20.20.0 255.255.255.0 192.168.10.2 1
route inside 192.168.101.0 255.255.255.0 192.168.10.2 1
route inside 192.168.102.0 255.255.255.0 192.168.10.2 1
route inside 192.168.103.0 255.255.255.0 192.168.10.2 1
route inside 192.168.106.0 255.255.255.0 192.168.10.2 1
route inside 192.168.6.0 255.255.255.0 192.168.10.2 1
route inside 192.168.3.0 255.255.255.0 192.168.10.2 1
route inside 192.168.2.0 255.255.255.0 192.168.10.2 1
timeout xlate 3:00:00
Solved! Go to Solution.
07-04-2007 11:13 AM
If you added the acl exactly as it appears above there would be no need to specifically allow http and https as the 2nd to last line is permit ip any any.
07-04-2007 12:17 AM
Hello.
I would firstly suggest binding an acl inbound on your inside interface. That will require some thought given the impact. That would however let you dictate which hosts can communicate outbound accordingly.
You should also be able to create an appropriate access-list and bind that to your nat 10 statment instead of using
nat (inside) 10 0.0.0.0 0.0.0.0
The acl could permit the allowed pptp explicity and then deny any other connection (pptp). Remembering to allow the other nat connections you would want.
Have you tried binding an acl to NAT 10?
07-04-2007 08:37 AM
I have but I hadn't been able to get it work yet. It cut off all other internet connections such as HTTP access.
But I will take your suggestion. Could you provide example commands to do so?
Another issue is that we can't get ftp connection going to the internet.
07-04-2007 09:07 AM
I would not restrict the access with nat. An access list is the proper way to filter the traffic.
access-list inside permit tcp any host 88.88.88.88 eq pptp
access-list inside permit tcp any host 89.89.89.89 eq pptp
access-list inside deny tcp any any eq pptp
access-list inside permit ip any any
access-group inside in interface inside
07-04-2007 09:55 AM
as soon as i do that, it stops the smtp from working.
And I haven't been able to connect to any ftp on the internet.
07-04-2007 10:31 AM
As soon as you do what? Add the acl?
Adding that acl should make neither of those things occur.
07-04-2007 10:49 AM
yes, as soon as I add the acl to the config above, it stops other traffics.
I've managed to add
access-list inside permit tcp any any eq http
access-list inside permit tcp any any eq https
access-group inside in interface inside
to solve the web access issue. but then we get email problem. And ftp never works since the beginning.
07-04-2007 11:13 AM
If you added the acl exactly as it appears above there would be no need to specifically allow http and https as the 2nd to last line is permit ip any any.
07-04-2007 11:28 AM
Sorry my bad, thanks!
The only thing left for now is to enable outbound ftp from our lan.
would you know where the problem is?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide