Question : How do I connect to a Windows VPN server through a Cisco ASA 5505?

I have a Cisco ASA5505 for a small office network. We have a customer who has a windows VPN server that we need to connect to. I've read lots of forum posts about the need to tie the GRE47 traffic to the pptp traffic by using the inspect pptp command. I have configured this inspect but I still can't connect to the VPN, I know the VPN is working as if I bypass the 5505 everything works as it should.

I've inspected the packets using Wireshark and the server and client are talking but the client never gets a response to the PPP LCP Configure Request and eventually timesout. The client is windows 7 pro but I've tried on an XP machine and get the same response. Anyone got any ideas?

Here's my (sanitised) cisco config:

 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:

ASA Version 7.2(4) 
!
hostname myhost
domain-name mycompany.com
enable password ****** encrypted
passwd ******* encrypted
names
name xxx.xxx.xxx.xxx Machine1
name xxx.xxx.xxx.xxx Machine2
name xxx.xxx.xxx.xxx SERVER1
name xxx.xxx.xxx.xxx SERVER2
name xxx.xxx.xxx.xxx CustomerVPNServer
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address OfficeExternalIP 255.255.255.192 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name mycompany.com
object-group network Customer
 description Allows Customer to connect to us.
 network-object host Machine1
object-group network LOCALGROUP
 network-object host Machine2
 network-object host SERVER1
 network-object host SERVER2
object-group network DM_INLINE_NETWORK_1
 group-object Customer
 group-object MYCOMPANY
object-group service RemoteDesktop tcp
 description Remote Desktop Connection
 port-object eq 3389
object-group service SQLServer tcp
 description Allows connection to SQL Server
 port-object eq 1433
object-group network DM_INLINE_NETWORK_2
 group-object Customer
 group-object MYCOMPANY
access-list outside_access_in remark http access allowed
access-list outside_access_in extended permit tcp any host MYCOMPANYOfficeInternal eq www 
access-list outside_access_in remark https access allowed
access-list outside_access_in extended permit tcp any host MYCOMPANYOfficeInternal eq https 
access-list outside_access_in remark Allows incoming remote desktop connection
access-list outside_access_in extended permit tcp object-group MYCOMPANY host MYCOMPANYOfficeInternal object-group RemoteDesktop 
access-list outside_access_in remark Allows connections to SQL Server
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host MYCOMPANYOfficeInternal object-group SQLServer 
access-list inside_access_in extended permit ip any any 
access-list outside_in extended permit icmp any any echo-reply 
access-list outside_access_in_1 extended permit tcp object-group DM_INLINE_NETWORK_2 host MYCOMPANYOfficeInternal eq www 
access-list outside_access_in_2 remark http access allowed
access-list outside_access_in_2 extended permit tcp any any eq www 
access-list outside_access_in_2 remark https access allowed
access-list outside_access_in_2 extended permit tcp any any eq https 
access-list outside_access_in_2 remark Allows Machine1 to connect via Remote Desktop
access-list outside_access_in_2 extended permit tcp host Machine2 any object-group RemoteDesktop 
access-list outside_access_in_2 extended permit tcp host CustomerVPNServer any eq pptp 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) interface MYCOMPANYOfficeInternal netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in_2 in interface outside
established tcp 0 0
established udp 0 0
route outside 0.0.0.0 0.0.0.0 <EXTERNAL-IP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http MYCOMPANYOfficeInternal 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 outside
http 192.168.0.118 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.118 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.0.100 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns <EXTERNAL-IP>
dhcpd auto_config outside
!
dhcpd address 192.168.0.100-192.168.0.250 inside
dhcpd dns <EXTERNAL-IP> interface inside
dhcpd enable inside
!

tftp-server inside 192.168.0.100 C:\TFTP\ASAConfig
username MYCOMPANY nopassword
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect pptp 
  inspect ipsec-pass-thru 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxx
: end

Answer : How do I connect to a Windows VPN server through a Cisco ASA 5505?

In your config - you "any" on the destination for RemoteDesktop and pptp (and now gre). In your static (inside,outside) you reference "MYCOMPANYOfficeInternal"

Is it the same server running your RRAS as what you are remote desktopping to? If not you will need to tune your static(inside,outside) statements because you are directing all allowed ports to MYCOMPANYOfficeInternal ip address.

This will replace what your are already doing:
static (inside,outside) tcp interface www MYCOMPANYOfficeInternal www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https MYCOMPANYOfficeInternal https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 MYCOMPANYOfficeInternal 3389 netmask 255.255.255.255 0 0


If you have a different server at RRASServerIP define it and add
static (inside,outside) tcp interface pptp RRASServerIP pptp netmask 255.255.255.255 0 0
static (inside,outside) gre interface RRASServerIP netmask 255.255.255.255 0 0

If it is not a different IP than what your other NATs go to ignore this and let me know.

Good Luck
Random Solutions  
 
programming4us programming4us