Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1228
Views
0
Helpful
5
Replies

Cannot connect to vpn server behind 5510 ASA with windows clients

Go to solution
leedschamber202
Level 1
Level 1

‎08-06-2010 08:31 AM

Hi All,

I seen a number of posts on this, and followed a few support docs on this matter, but I'm utterly stuck now, nothing seems to be working for me.

It's the usual scenario, I've got a windows 2003 VPN server sat on the private lan of our ASA 5510 firewall, and I'm trying to get my Windows XP / 7 laptops to connect to it.

Within the ASDM:

1) Created Public Server for protocol 1723

2) Created Public Server for protocol GRE

3) Both public servers created have the same public and private addresses

4) The above created the Static Route from Public to Private in the NAT section of the firewall config

5) The above also created 2 firewall rules on the outside interface for both 1723 and GRE

When trying to connect I get the following entry in the debug log.

6    Aug 06 2010    17:09:37    302013    195.74.141.2    1045    ChamberVPN-Internal    1723    Built inbound TCP connection 1889195 for outside:195.74.141.2/1045 (195.74.141.2/1045) to inside:ChamberVPN-Internal/1723 (XXX.XXX.XXX.XXX/1723)

but nothing further.

The server doesn't show any attempt at a connection so I'm guessing I'm missing something on the firewall now.

Also on the inside interface there is a temp rule:

Source: Any

Destination: Any

Service: IP

Action: Permit

This should allow any outbound traffic as far as I'm aware..

Any help would be greatly appreciated.


Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ufuk guler
Level 1
Level 1
In response to leedschamber202

‎08-11-2010 01:07 PM

Hi Chris,

          Asa logs shows that connection is ended because of "syn timeout". That means asa doesn't get any response from the Windows Server. In that point we need to clarify some points.

1 - Does your vpn server have correct default gateway or route which is inside interface of your asa fw.

2 - Is it possible to start packet capture on Windows Server. By this we can get data flow information beetween client and server. And we can be sure that Windows Server is getting vpn request.

Ufuk Guler

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ufuk guler
Level 1
Level 1

‎08-07-2010 02:31 AM

Hello Chris,

               I don't know if you check this document. I hope below link can help to solve your problem.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#pptpwith

Ufuk Guler

0 Helpful

Go to solution
leedschamber202
Level 1
Level 1
In response to ufuk guler

‎08-09-2010 12:49 AM

Hi Ufuk,

Yep, that was the document I was using to double check what I was doing.

See my config below:

access-list outside-in extended permit tcp any host XXX.XXX.XXX>XXX eq pptp log debugging

access-list outside-in extended permit gre any host XXX.XXX.XXX.XXX log debugging

static (inside,outside) VPN-External ChamberVPN-Internal netmask 255.255.255.255

access-group outside-in in interface outside

I double checked again this morning against the document you recommended, but everything looks right to me

The only thing I can see that is different is the fact that '0 0' is missing off of the end of the static line, not sure what this does though?

The debug info shows the following:

6    Aug 09 2010    09:46:18    302013    212.183.133.32    19374    ChamberVPN-Internal    1723    Built inbound TCP connection 1950425 for outside:212.183.133.32/19374 (212.183.133.32/19374) to inside:ChamberVPN-Internal/1723 (XXX.XXX.XXX.XXX/1723)

6    Aug 09 2010    09:46:20    302014    212.183.133.32    19367     ChamberVPN-Internal    1723    Teardown TCP connection 1950350 for  outside:212.183.133.32/19367 to inside:ChamberVPN-Internal/1723 duration  0:00:30 bytes 0 SYN Timeout

Any other ideas?

Chris.

0 Helpful

Go to solution
ufuk guler
Level 1
Level 1
In response to leedschamber202

‎08-11-2010 01:07 PM

Hi Chris,

          Asa logs shows that connection is ended because of "syn timeout". That means asa doesn't get any response from the Windows Server. In that point we need to clarify some points.

1 - Does your vpn server have correct default gateway or route which is inside interface of your asa fw.

2 - Is it possible to start packet capture on Windows Server. By this we can get data flow information beetween client and server. And we can be sure that Windows Server is getting vpn request.

Ufuk Guler

0 Helpful

Go to solution
leedschamber202
Level 1
Level 1
In response to ufuk guler

‎08-12-2010 02:42 AM

Hi Ufuk,

What a stupid mistake.

focusing on the cisco ASA that much I never switched the gateway of the VPN server across from the old line to the new one that the cisco ASA is protecting.

Chalk 1 up to experience.

Thanks for the response, point 1 hit the nail squarely on the head.


Chris.

0 Helpful

Go to solution
ufuk guler
Level 1
Level 1
In response to leedschamber202

‎08-13-2010 11:34 AM

Hi Chris,

          This is very good news.

Ufuk Guler

0 Helpful
Customers Also Viewed These Support Documents