Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
2
Replies

Microsoft VPN does not work through PIX/ASA

comunicjsc
Level 1
Level 1

‎01-08-2009 02:49 PM

Hello,

We are dealing with the same problem in two different scenarios: PIX 515 and ASA 5510.

In both cases we have an internal Windows 2003 server behind the firewall with RRAS service running, so that remote Windows XP clients connect using native PPTP capabilities. However, these clients are not even authenticated, VPN tunnels are not completed.

We are sure that Windows configurations are good, the problem is on PIX/ASA. Surprisingly, GRE traffic is registered in PIX/ASA logs:

2009-01-06 23:23:53 Local4.Info 217.15.42.214 %PIX-6-302013: Built inbound TCP connection 3315921 for outside:xx.yy.zz.tt/1289 (xx.yy.zz.tt/1289) to inside:172.16.0.12/1723 (tt.zz.yy.xx/1723)

2009-01-06 23:23:53 Local4.Info 217.15.42.214 %PIX-6-302017: Built inbound GRE connection 3315922 from outside:xx.yy.zz.tt (xx.yy.zz.tt) to inside:172.16.0.12/14579 (tt.zz.yy.xx/14579)

2009-01-06 23:23:53 Local4.Info 217.15.42.214 %PIX-6-302017: Built outbound GRE connection 3315923 from inside:172.16.0.12 (tt.zz.yy.xx) to outside:xx.yy.zz.tt/256 (xx.yy.zz.tt/256)

2009-01-06 23:24:30 Local4.Info 217.15.42.214 %PIX-6-302014: Teardown TCP connection 3315921 for outside:xx.yy.zz.tt/1289 to inside:172.16.0.12/1723 duration 0:00:37 bytes 732 TCP FINs

We have followed the following Cisco article (scenario with the server inside and clients outside) with unsuccessful results until this moment:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#pptpwith

Perhaps NAT and GRE are not easily compatible in PIX/ASA.

Any ideas?

Thank you very much.

Labels:
0 Helpful
2 Replies 2

sachinraja
Level 9
Level 9

‎01-08-2009 07:32 PM

Hey ..

are you doing a static NAT for the PPTP server ? have you enabled IP inspect pptp ? can you post ur configs ? are there any error logs on the pptp server, which can be of use ?

Raj

0 Helpful

comunicjsc
Level 1
Level 1
In response to sachinraja

‎01-09-2009 12:15 PM

Hi,

Yes, static NAT for PPTP server is configured. For instance, this is the configuration of ASA 5510 (PPTP server is 192.168.100.10):

access-list OUTSIDE_in extended permit tcp any host xx.yy.zz.tt eq pptp

access-list OUTSIDE_in extended permit gre any host xx.yy.zz.tt

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface pptp 192.168.100.10 pptp netmask 255.255.255.255

I think that "IP inspect PPTP" is not necessary because the server is inside and the clients are outside. But, anyway, we have some configuration related:

class-map global-class

match any

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect bla bla bla

.............

inspect pptp

service-policy global_policy global

In PPTP server, we could see some errors about GRE in Windows 2003 Event Viewer but they dissapeared when GRE was allowed in the access-list and the static NAT was added.

Thank you very much.

0 Helpful
Customers Also Viewed These Support Documents