Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA GRE inspection issue

I am trying to contigure a standard PPTP server inside client outside configuration.

I have added ACL rules to allow PPTP and GRE, turned pptp inspection and added NAT rule for PPTP.

There is only one issue:

If the source in the NAT rule definition is set to the client IP address, the connection is successfull.

If the source in the NAT rule definition is set to any, the GRE inspection drops the connection with the following message in the logs

tcp flow from outside:CLIENTIP/26077 to inside:INSIDE_SERVER_IP/1723 terminated by inspection engine, reason - inspector drop reset.

Does anyone have any idea of the probable cause?

here is the relevant config:

ACL:

access-list acl-out extended permit object gre any interface outside 
access-list acl-out extended permit object PPTPvpn any interface outside 

NAT - connection ok from a known ip:

nat (outside,any) source static current_remote_client_ip current_remote_client_ip destination static interface PrivateWindowsServer service PPTPvpn PPTPvpn

NAT - connection dropped by inspection

nat (outside,any) source static any any destination static interface PrivateWindowsServer service PPTPvpn PPTPvpn

inspect pptp:

policy-map global_policy
class inspection_default
inspect pptp
4 REPLIES
Super Bronze

ASA GRE inspection issue

Hi,

I am not sure of the reason of the drop. Mostly because I rarely have to deal with any PPTP connections through an ASA and I have not used the type of VPN myself ever.

I would however configure the NAT you have configured in this way

nat (inside,outside) source static PrivateWindowsServer interface service PPTPvpn PPTPvpn

I am just wondering how does the GRE go through with just this NAT configuration as it only handles TCP/1723. I would expect that you would need a Static NAT and not a Static PAT (Port Forward). Then again I dont have much knowledge of PPTP which could mean that I would be missing something obvious.

- Jouni

Bronze

ASA GRE inspection issue

Give it a try with packet tracer in both cases and possibly show us a debug for pptp and GRE inspection.

BTW I'm also a little bit surprised that GRE would be possible with nat, anyway a pptp inspection should be able to permit the additional GRE if negotiated through a pptp, that's what stateful inspections are for.

New Member

ASA GRE inspection issue

here is the pptp debug

*** NON WORKING VERSION ****

ciscoasa# debug pptp 255

debug pptp  enabled at level 255

ciscoasa# PPTP start-control-request: (outside:37.203.120.182/47694 -> inside:19

2.168.2.51/1723)

PPTP start-control-reply: (outside:37.203.120.182/47694 <- inside:192.168.2.51/1

723)

PPTP outgoing-call-request: (outside:37.203.120.182/47694 -> inside:192.168.2.51

/1723)

ERROR: PPTP request CID <47694>, fail to translate

Connection to host lost.

******* WORKING VERSION ******

ciscoasa# debug pptp 255

debug pptp  enabled at level 255

ciscoasa# PPTP start-control-request: (outside:37.203.120.182/47878 -> inside:19

2.168.2.51/1723)

PPTP start-control-reply: (outside:37.203.120.182/47878 <- inside:192.168.2.51/1

723)

PPTP outgoing-call-request: (outside:37.203.120.182/47878 -> inside:192.168.2.51

/1723)

PPTP outgoing-call-reply: (outside:37.203.120.182/47878 <- inside:192.168.2.51/1

723)

PPTP set-link-info: (outside:37.203.120.182/47878 -> inside:192.168.2.51/1723)

PPTP set-link-info: (outside:37.203.120.182/47878 -> inside:192.168.2.51/1723)

PPTP set-link-info: (outside:37.203.120.182/47878 <- inside:192.168.2.51/1723)

Bronze

ASA GRE inspection issue

I just had an idea:

which sequence number has the nat rule for your pptp  service and are there any other nat rules (e.g. like a dynamic "all  inside pat") which could collide with pptp?

Try to be more specific with your nat, instead (outside,any) make a specific (inside,outside) nat rule like Jouni suggested.

If possible try to disable all other nat rules in a short service window. Although I would expect different error messages from an assymetric nat situation.

916
Views
0
Helpful
4
Replies
CreatePlease login to create content