Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cannot connect to vpn server behind 5510 ASA with windows clients

Hi All,

I seen a number of posts on this, and followed a few support docs on this matter, but I'm utterly stuck now, nothing seems to be working for me.

It's the usual scenario, I've got a windows 2003 VPN server sat on the private lan of our ASA 5510 firewall, and I'm trying to get my Windows XP / 7 laptops to connect to it.

Within the ASDM:

1) Created Public Server for protocol 1723

2) Created Public Server for protocol GRE

3) Both public servers created have the same public and private addresses

4) The above created the Static Route from Public to Private in the NAT section of the firewall config

5) The above also created 2 firewall rules on the outside interface for both 1723 and GRE

When trying to connect I get the following entry in the debug log.

6    Aug 06 2010    17:09:37    302013    195.74.141.2    1045    ChamberVPN-Internal    1723    Built inbound TCP connection 1889195 for outside:195.74.141.2/1045 (195.74.141.2/1045) to inside:ChamberVPN-Internal/1723 (XXX.XXX.XXX.XXX/1723)

but nothing further.

The server doesn't show any attempt at a connection so I'm guessing I'm missing something on the firewall now.

Also on the inside interface there is a temp rule:

Source: Any

Destination: Any

Service: IP

Action: Permit

This should allow any outbound traffic as far as I'm aware..

Any help would be greatly appreciated.


Chris

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Cannot connect to vpn server behind 5510 ASA with windows cl

Hi Chris,

          Asa logs shows that connection is ended because of "syn timeout". That means asa doesn't get any response from the Windows Server. In that point we need to clarify some points.

1 - Does your vpn server have correct default gateway or route which is inside interface of your asa fw.

2 - Is it possible to start packet capture on Windows Server. By this we can get data flow information beetween client and server. And we can be sure that Windows Server is getting vpn request.

Ufuk Guler

5 REPLIES
Community Member

Re: Cannot connect to vpn server behind 5510 ASA with windows cl

Hello Chris,

               I don't know if you check this document. I hope below link can help to solve your problem.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#pptpwith

Ufuk Guler

Community Member

Re: Cannot connect to vpn server behind 5510 ASA with windows cl

Hi Ufuk,

Yep, that was the document I was using to double check what I was doing.

See my config below:

access-list outside-in extended permit tcp any host XXX.XXX.XXX>XXX eq pptp log debugging

access-list outside-in extended permit gre any host XXX.XXX.XXX.XXX log debugging

static (inside,outside) VPN-External ChamberVPN-Internal netmask 255.255.255.255

access-group outside-in in interface outside

I double checked again this morning against the document you recommended, but everything looks right to me

The only thing I can see that is different is the fact that '0 0' is missing off of the end of the static line, not sure what this does though?

The debug info shows the following:

6    Aug 09 2010    09:46:18    302013    212.183.133.32    19374    ChamberVPN-Internal    1723    Built inbound TCP connection 1950425 for outside:212.183.133.32/19374 (212.183.133.32/19374) to inside:ChamberVPN-Internal/1723 (XXX.XXX.XXX.XXX/1723)

6    Aug 09 2010    09:46:20    302014    212.183.133.32    19367     ChamberVPN-Internal    1723    Teardown TCP connection 1950350 for  outside:212.183.133.32/19367 to inside:ChamberVPN-Internal/1723 duration  0:00:30 bytes 0 SYN Timeout

Any other ideas?

Chris.

Community Member

Re: Cannot connect to vpn server behind 5510 ASA with windows cl

Hi Chris,

          Asa logs shows that connection is ended because of "syn timeout". That means asa doesn't get any response from the Windows Server. In that point we need to clarify some points.

1 - Does your vpn server have correct default gateway or route which is inside interface of your asa fw.

2 - Is it possible to start packet capture on Windows Server. By this we can get data flow information beetween client and server. And we can be sure that Windows Server is getting vpn request.

Ufuk Guler

Community Member

Re: Cannot connect to vpn server behind 5510 ASA with windows cl

Hi Ufuk,

What a stupid mistake.

focusing on the cisco ASA that much I never switched the gateway of the VPN server across from the old line to the new one that the cisco ASA is protecting.

Chalk 1 up to experience.

Thanks for the response, point 1 hit the nail squarely on the head.


Chris.

Community Member

Re: Cannot connect to vpn server behind 5510 ASA with windows cl

Hi Chris,

          This is very good news.

Ufuk Guler

810
Views
0
Helpful
5
Replies
CreatePlease to create content