topic Hi Karsten, I considered in Network Security

Cannot access internal PPTP Server!

david — Tue, 12 Mar 2019 04:00:18 GMT

Hi All, pulling my hair out on this one... We have an internal PPTP server that works fine when I access it via internal subnet. However, I cannot get access from an external IP via our ASA 5505. I've tried enabling/disabling PPTP Fixup as well as many different config changes, but it will not work. I even upgraded from 8.4.5 to 9.1.4. I also called the PPTP server vendor and they said that there's nothing special needed for their pptp server so I'm stumped. Debug doesn't show anything too descriptive. The last line says teardown GRE connection and then the windows vpn client says it could not connect.

The pertinent current config is below, am I missing anything obvious? Thanks!

--------------------------------------------------

ASA Version 9.1(4)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
!
interface Ethernet0/0
switchport access vlan 2
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 77.77.77.117 255.255.255.248
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network pptp-server
host 192.168.0.3
object network Ext-IP-113
host 77.77.77.113
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
service-object udp destination eq isakmp
service-object esp
access-list outside_access_in extended permit tcp any4 object pptp-server object-group DM_INLINE_TCP_1
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
nat (outside,inside) source static any interface destination static Ext-IP-113 pptp-server
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 77.77.77.118 1
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
!
service-policy global_policy global

What is the content of the

Karsten Iwen — Fri, 28 Mar 2014 09:10:21 GMT

What is the content of the object-group "DM_INLINE_TCP_1"? I don't see that in the config.
I would configure the NAT in the more traditional way instead of the destination-style you are using:

object network pptp-server host 192.168.0.3 nat (inside,outside) static Ext-IP-113

And consider to migrate to SSL or IPsec VPNs. PPTP is not state of the art any more and in a security-sensitive environment I would consider PPTP more or less as cleartext.

Hi Karsten, I considered

david — Fri, 28 Mar 2014 14:08:12 GMT

Hi Karsten, I considered using the ASA to teminate VPN, but the person requesting this is doing a special project that involves a Tripp Lite Console server, which includes a pptp vpn server. I'll ask if we can instead terminate vpn access at ASA. Also, I somehow left that info out while cleaning the config. I have a few other ports open to this console server that can be closed if the vpn worked. Thanks! >

object network obj_any
subnet 0.0.0.0 0.0.0.0
object network pptp-server
host 192.168.0.3
object network Ext-IP-113
host 77.77.77.113
object-group service Console-Range-2 tcp
port-object range 2001 2016
port-object range 3001 3016
object-group service DM_INLINE_TCP_1 tcp
group-object Console-Range-2
port-object eq https
port-object eq ftp
port-object eq ssh
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
service-object udp destination eq isakmp
service-object esp
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object pptp-server
access-list outside_access_in extended permit tcp any4 object pptp-server object-group DM_INLINE_TCP_1

EDIT: Karsten, as an update, I tried removing the current NAT and tried your suggestion, but no luck and it actually broke https access to the internal server so I put it back the way it was. I also noticed this in the config >

Warning: All traffic destined to the ip address of the inside interface is being redirected

Warning: Users may not be able to access any service enabled on the inside interface

What exactly does this mean?