Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Packet tracer shows implicit rule dropping my PPTP VPN connection

Users are not able to connect from the outside.

The VPN address that clients use from the outside is 173.14.170.113

The VPN address on our inside network is 192.168.0.13

I have set up the ASA for my VPN as follows:

access-list acl-out extended permit tcp any host 173.14.170.113 eq pptp

access-list acl-out extended permit gre any host 173.14.170.113

static (inside,outside) tcp 173.14.170.113 pptp 192.168.0.13 pptp netmask 255.255.255.255

When I use packet tracer it shows a drop of the IP gre traffic on an implicit rule that denies any IP traffic even though I have it opened earlier in the access list.

Thanks for your help,

Gary

8 REPLIES

Packet tracer shows implicit rule dropping my PPTP VPN connectio

Hi Gary,

did you try adding inspect pptp?

Patrick

New Member

Packet tracer shows implicit rule dropping my PPTP VPN connectio

Yeah, there is an inpect pptp added in one of the sections. One other thing is that packet tracer is only dropping on the implicit rule. PPTP passes through just fine.

Thanks for your help,

Gary

Packet tracer shows implicit rule dropping my PPTP VPN connectio

Hi,

Can you post your full config (without sensitive information) and the output of the packet tracer?

Patrick

Silver

Packet tracer shows implicit rule dropping my PPTP VPN connectio

As of 8.3 you have to use inside local address (192.168.0.13) in the ACL.

You also need a static NAT line for GRE protocol. Or I would use a static one-to-one IP mapping.

Silver

Packet tracer shows implicit rule dropping my PPTP VPN connectio

Hi, is it solved?

New Member

Packet tracer shows implicit rule dropping my PPTP VPN connectio

Not solved as of yet. Sorry for the delay with getting back.

We are using ASA 7.2(1). Also it won't let me do a NAT line for GRE. The only options are tcp or udp.

How do I assign static one-to-one IP mapping?

Super Bronze

Packet tracer shows implicit rule dropping my PPTP VPN connectio

Hi,

The Static NAT format is almost the same as the Static PAT configuration you have done for the TCP port.

static (inside,outside) netmask 255.255.255.255

- Jouni

New Member

Packet tracer shows implicit rule dropping my PPTP VPN connectio

Thanks for your help.

I added the Static NAT line. static (inside,outside) netmask 255.255.255.255

The firewall is no longer dropping gre traffic as it was before, however I am not able to connect to VPN.

946
Views
0
Helpful
8
Replies