01-08-2009 02:49 PM
Hello,
We are dealing with the same problem in two different scenarios: PIX 515 and ASA 5510.
In both cases we have an internal Windows 2003 server behind the firewall with RRAS service running, so that remote Windows XP clients connect using native PPTP capabilities. However, these clients are not even authenticated, VPN tunnels are not completed.
We are sure that Windows configurations are good, the problem is on PIX/ASA. Surprisingly, GRE traffic is registered in PIX/ASA logs:
2009-01-06 23:23:53 Local4.Info 217.15.42.214 %PIX-6-302013: Built inbound TCP connection 3315921 for outside:xx.yy.zz.tt/1289 (xx.yy.zz.tt/1289) to inside:172.16.0.12/1723 (tt.zz.yy.xx/1723)
2009-01-06 23:23:53 Local4.Info 217.15.42.214 %PIX-6-302017: Built inbound GRE connection 3315922 from outside:xx.yy.zz.tt (xx.yy.zz.tt) to inside:172.16.0.12/14579 (tt.zz.yy.xx/14579)
2009-01-06 23:23:53 Local4.Info 217.15.42.214 %PIX-6-302017: Built outbound GRE connection 3315923 from inside:172.16.0.12 (tt.zz.yy.xx) to outside:xx.yy.zz.tt/256 (xx.yy.zz.tt/256)
2009-01-06 23:24:30 Local4.Info 217.15.42.214 %PIX-6-302014: Teardown TCP connection 3315921 for outside:xx.yy.zz.tt/1289 to inside:172.16.0.12/1723 duration 0:00:37 bytes 732 TCP FINs
We have followed the following Cisco article (scenario with the server inside and clients outside) with unsuccessful results until this moment:
Perhaps NAT and GRE are not easily compatible in PIX/ASA.
Any ideas?
Thank you very much.
01-08-2009 07:32 PM
Hey ..
are you doing a static NAT for the PPTP server ? have you enabled IP inspect pptp ? can you post ur configs ? are there any error logs on the pptp server, which can be of use ?
Raj
01-09-2009 12:15 PM
Hi,
Yes, static NAT for PPTP server is configured. For instance, this is the configuration of ASA 5510 (PPTP server is 192.168.100.10):
access-list OUTSIDE_in extended permit tcp any host xx.yy.zz.tt eq pptp
access-list OUTSIDE_in extended permit gre any host xx.yy.zz.tt
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pptp 192.168.100.10 pptp netmask 255.255.255.255
I think that "IP inspect PPTP" is not necessary because the server is inside and the clients are outside. But, anyway, we have some configuration related:
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect bla bla bla
.............
inspect pptp
service-policy global_policy global
In PPTP server, we could see some errors about GRE in Windows 2003 Event Viewer but they dissapeared when GRE was allowed in the access-list and the static NAT was added.
Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide