Skip to main content

Cisco ASA 5505 VPN config to allow GRE over pptp

More
16 years 8 months ago #25410 by rferinde
I am having an issue trying to configure my ASA 5505 for vpn traffic to passthrough to an outside pptp server. I have looked for the answers but I am still not able to get GRE to pass correctly. I can see the ASA build the connection using pptp but once GRE traffic starts I get:

3 Mar 12 2008 17:19:49 305006 xxx.xxx.xxx.000 regular translation creation failed for protocol 47 src inside:xxx.xxx.xxx.000 dst outside:xxx.xxx.xxx.000

I have added the inspect for pptp to the config but this has not helped either.

My config is as follows:

ASA Version 7.2(2)
!
hostname COMPANYASA
domain-name Domain.Domain.org
enable password fUFwYfhZIF9hUMvC encrypted
no names
name 900.xxx.xxx.000 Externalcsg
name 900.xxx.xxx.000 Externalexchange
name 900.xxx.xxx.000 Externalwwwseaf
name 10.xxx.xxx.000 DMZweb01
name 10.xxx.xxx.000 DMZweb02
name 10.xxx.xxx.000 Internalctrx01
name 10.xxx.xxx.000 Internalctrx02
name 10.xxx.xxx.000 Internalcompanyhqdc
name 10.xxx.xxx.000 Internalwwwcompany
name 10.xxx.xxx.0 CONTRACTOR
!
interface Vlan1
nameif inside
security-level 100
ip address 10.xxx.xxx.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 900.xxx.xxx.000 255.255.255.248
ospf cost 10
!
interface Vlan3
nameif COMPANYDMZ
security-level 50
ip address 10.xxx.xxx.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name Domain.Domain.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Company
network-object 10.xxx.xxx.0255.255.255.0
access-list outside_access_in_1 extended permit tcp any host 900.xxx.xxx.000 eq www
access-list outside_access_in_1 extended permit tcp any host 900.xxx.xxx.000 eq smtp
access-list outside_access_in_1 extended permit tcp any host 900.xxx.xxx.000 eq https

access-list outside_access_in_1 extended permit tcp any host 900.xxx.xxx.000 eq www
access-list outside_access_in_1 extended permit tcp any host 900.xxx.xxx.000 eq https

access-list outside_access_in_1 extended permit tcp any host 900.xxx.xxx.000 eq www
access-list outside_access_in_1 extended permit icmp any any
access-list outside_access_in_1 extended permit tcp any host 900.xxx.xxx.000 eq pop3
access-list outside_access_in_1 extended permit tcp any host 900.xxx.xxx.000 eq imap4

access-list COMPANYDMZ extended permit icmp any any
access-list COMPANYDMZ extended permit ip any any
access-list COMPANYDMZ extended permit tcp any any eq www
access-list COMPANYDMZ extended permit tcp any any eq citrix-ica
access-list COMPANYDMZ extended permit tcp any any eq 8080
access-list capture extended permit tcp any host 900.xxx.xxx.000 eq www
access-list nat-zone-1 extended permit ip host 10.xxx.xxx.000 any
access-list nat-zone-2 extended permit ip host 10.xxx.xxx.000 any
access-list outside_20_cryptomap extended permit ip 10.xxx.xxx.0 255.255.255.0 10.xxx.xxx.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.xxx.xxx.000 255.255.255.0 10.xxx.xxx.0 255.255.255.0
access-list inside_access_in extended permit gre host 900.xxx.xxx.000 10.xxx.xxx.0 2
55.255.255.0
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging from-address admin@company.org
logging recipient-address rferinde@company.org level errors
mtu inside 1500
mtu outside 1500
mtu COMPANYDMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (COMPANYDMZ) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (COMPANYDMZ) 1 0.0.0.0 0.0.0.0
static (inside,outside) 900.xxx.xxx.000 10.xxx.xxx.000 netmask 255.255.255.255
static (inside,outside) 900.xxx.xxx.000 10.xxx.xxx.000 netmask 255.255.255.255
static (COMPANYDMZ,outside) 900.xxx.xxx.000 10.xxx.xxx.000 netmask 255.255.255.255
static (COMPANYDMZ,inside) 900.xxx.xxx.000 access-list nat-zone-1
static (COMPANYDMZ,inside) 10.xxx.xxx.000 access-list nat-zone-2
static (inside,COMPANYDMZ) 10.xxx.xxx.000 10.xxx.xxx.000 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in_1 in interface outside
access-group COMPANYDMZ in interface COMPANYDMZ
route outside 0.0.0.0 0.0.0.0 900.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.xxx.xxx.000 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 900.xxx.xxx.000
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 10.xxx.xxx.000 type ipsec-l2l
tunnel-group 10.xxx.xxx.000 ipsec-attributes
pre-shared-key *
telnet 10.xxx.xxx.000 255.255.255.0 inside
telnet timeout 1440
ssh 10.xxx.xxx.000 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
!
!
policy-map global_policy
class inspection_default
inspect pptp
!
smtp-server xxx.xxx.xxx.000
prompt hostname context
Cryptochecksum:6dc6a1a9666d34e0e96581e694dbea1d
: end


Key:
Public IP: 900.xxx.xxx.000
Public Side Router: 900.xxx.xxx.1
Private IP: 10.xxx.xxx.000
Private Network: 10.xxx.xxx.0
Private Router: 10.xxx.xxx.1
More
16 years 7 months ago #25589 by ramasamy
Hi,

Try the below mentioned alternate step. If the Step 1 configuration is not working for you try to capture the packet and check for the version for the PPTP I belive only PPTP Version 1 is supported.

Step 1:

Add PPTP inspection to the default policy-map using the default class-map.

pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#inspect pptp

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0

pixfirewall(config)#global (outside) 1 interface


OR

Step 2:

Define the static mapping for the inside PC.

pixfirewall(config)#static (inside,outside) 192.168.201.5 10.48.66.106 netmask 255.255.255.255 0 0

Configure and apply the ACL to permit the GRE return traffic from the PPTP server to the PPTP client.

pixfirewall(config)#access-list acl-out permit gre host 192.168.201.25 host 192.168.201.5
pixfirewall(config)#access-list acl-out permit tcp host 192.168.201.25 host 192.168.201.5 eq 1723

Apply the ACL.

pixfirewall(config)#access-group acl-out in interface outside
Time to create page: 0.113 seconds