Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1390
Views
0
Helpful
8
Replies

Packet tracer shows implicit rule dropping my PPTP VPN connection

gary
Level 1
Level 1

‎10-11-2013 05:38 AM

Users are not able to connect from the outside.

The VPN address that clients use from the outside is 173.14.170.113

The VPN address on our inside network is 192.168.0.13

I have set up the ASA for my VPN as follows:

access-list acl-out extended permit tcp any host 173.14.170.113 eq pptp

access-list acl-out extended permit gre any host 173.14.170.113

static (inside,outside) tcp 173.14.170.113 pptp 192.168.0.13 pptp netmask 255.255.255.255

When I use packet tracer it shows a drop of the IP gre traffic on an implicit rule that denies any IP traffic even though I have it opened earlier in the access list.

Thanks for your help,

Gary

Labels:
0 Helpful
8 Replies 8

Patrick Moubarak
Level 4
Level 4

‎10-11-2013 01:02 PM

Hi Gary,

did you try adding inspect pptp?

Patrick

0 Helpful

gary
Level 1
Level 1
In response to Patrick Moubarak

‎10-26-2013 05:04 AM

Yeah, there is an inpect pptp added in one of the sections. One other thing is that packet tracer is only dropping on the implicit rule. PPTP passes through just fine.

Thanks for your help,

Gary

0 Helpful

Patrick Moubarak
Level 4
Level 4
In response to gary

‎10-26-2013 10:07 AM

Hi,

Can you post your full config (without sensitive information) and the output of the packet tracer?

Patrick

0 Helpful

Peter Koltl
Level 7
Level 7
In response to Patrick Moubarak

‎10-27-2013 11:53 PM

As of 8.3 you have to use inside local address (192.168.0.13) in the ACL.

You also need a static NAT line for GRE protocol. Or I would use a static one-to-one IP mapping.

0 Helpful

Peter Koltl
Level 7
Level 7
In response to Peter Koltl

‎11-04-2013 03:05 PM

Hi, is it solved?

0 Helpful

gary
Level 1
Level 1
In response to Peter Koltl

‎01-21-2014 05:58 AM

Not solved as of yet. Sorry for the delay with getting back.

We are using ASA 7.2(1). Also it won't let me do a NAT line for GRE. The only options are tcp or udp.

How do I assign static one-to-one IP mapping?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to gary

‎01-21-2014 06:00 AM

Hi,

The Static NAT format is almost the same as the Static PAT configuration you have done for the TCP port.

static (inside,outside) netmask 255.255.255.255

- Jouni

0 Helpful

gary
Level 1
Level 1
In response to Jouni Forss

‎01-21-2014 07:25 AM

Thanks for your help.

I added the Static NAT line. static (inside,outside) netmask 255.255.255.255

The firewall is no longer dropping gre traffic as it was before, however I am not able to connect to VPN.

0 Helpful
Customers Also Viewed These Support Documents