https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467639#M614615 <HTML><HEAD></HEAD><BODY><P>Thank you for your prompt response, but didn't make the trick <IMG border="0" src="http://i.dslr.net/v2/lite/sad.gif" width="15" /><BR />I removed the static NAT and enabled the PPTP inspection but no joy...</P><P><BR />From the clients, I get a 800 error. I am investigating it</P><P></P><P>Thank you for your help!</P><P></P><P>Regards</P></BODY></HTML> Thu, 12 Aug 2010 12:57:05 GMT robertovd 2010-08-12T12:57:05Z https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467637#M614613 <P>Good morning!</P><P></P><P>Sorry but I am not very networking related, and after checking more posts, and made changes after recommendations, cannot get it to work.</P><P></P><P>I am trying to configure my ASA 5505 to be able to accept incoming request to the port 1723 and being forwarded to our Windows VPN connection.</P><P></P><P>The scenario is the following:<BR />interface Vlan1<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.1.202 255.255.255.0<BR />!<BR />interface Vlan2<BR />nameif outside<BR />security-level 0<BR />ip address 83.244.*.* 255.255.255.224</P><P></P><P>The VPN machine has 192.168.1.211.</P><P></P><P>I created the security policies:</P><P></P><P>access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0<BR />access-list outside_access_in extended permit icmp host 94.185.144.62 any<BR />access-list outside_access_in extended permit object-group TCPUDP any host 83.244.*.* object-group DM_INLINE_TCPUDP_1<BR />access-list outside_access_in extended permit tcp any host 83.244.*.* eq 1111<BR />access-list outside_access_in extended permit tcp any host 83.244.*.* eq 3389<BR />access-list outside_access_in extended permit udp any any<BR /><STRONG>access-list outside_access_in extended permit tcp any 83.244.*.* 255.255.255.224 eq pptp<BR />access-list outside_access_in extended permit gre any 83.244.*.* 255.255.255.224 </STRONG><BR />access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.17.0.0 255.255.0.0</P><P></P><P>According to this, I permit traffic to the port 1723 and the GRE service for the PPTP.</P><P></P><P>After that, I created the NAT:</P><P></P><P>global (outside) 1 interface<BR />nat (inside) 0 access-list 101<BR />nat (inside) 1 192.168.1.0 255.255.255.0<BR />static (outside,inside) tcp 192.168.1.203 3389 83.244.*.* 3389 netmask 255.255.255.255<BR /><STRONG>static (inside,outside) tcp interface pptp 192.168.1.211 pptp netmask 255.255.255.255<BR />static (outside,inside) tcp 192.168.1.211 pptp 83.244.*.* pptp netmask 255.255.255.255<BR />access-group outside_access_in in interface outside </STRONG><BR />route outside 0.0.0.0 0.0.0.0 83.244.*.* 1</P><P></P><P>I created 2 different static NAT because I don't really know which one is the valid one.</P><P></P><P>We use also the ASA as a DHCP server</P><P></P><P>dhcpd auto_config outside<BR />dhcpd option 4 ip 130.88.200.4<BR />dhcpd option 156 ascii ftpservers=192.168.1.203<BR />!<BR />dhcpd address 192.168.1.1-192.168.1.199 inside<BR />dhcpd dns 192.168.1.212 192.168.1.219 interface inside<BR />dhcpd enable inside</P><P></P><P>The VPN is working correctly from the inside network, but cannot access from outside...</P><P></P><P>I spent many days reading Cisco articles and change the configuration many times, but no joy...<BR />Can anybody help me with this?</P><P></P><P>Thanks a lot!</P><P></P><P>Have a nice day!<BR />Regards,</P><P>rob</P> Mon, 11 Mar 2019 18:24:43 GMT https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467637#M614613 robertovd 2019-03-11T18:24:43Z https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467638#M614614 <HTML><HEAD></HEAD><BODY><P>You might want to remove the following line:</P><P><STRONG>static (outside,inside) tcp 192.168.1.211 pptp 83.244.*.* pptp netmask 255.255.255.255</STRONG></P><P></P><P>And also add "inspect pptp" under your global policy.</P></BODY></HTML> Thu, 12 Aug 2010 11:49:07 GMT https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467638#M614614 Jennifer Halim 2010-08-12T11:49:07Z https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467639#M614615 <HTML><HEAD></HEAD><BODY><P>Thank you for your prompt response, but didn't make the trick <IMG border="0" src="http://i.dslr.net/v2/lite/sad.gif" width="15" /><BR />I removed the static NAT and enabled the PPTP inspection but no joy...</P><P><BR />From the clients, I get a 800 error. I am investigating it</P><P></P><P>Thank you for your help!</P><P></P><P>Regards</P></BODY></HTML> Thu, 12 Aug 2010 12:57:05 GMT https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467639#M614615 robertovd 2010-08-12T12:57:05Z https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467640#M614616 <HTML><HEAD></HEAD><BODY><P>Did you also "clear xlate" after removing the static NAT?</P><P></P><P>Also where is it failing?</P><P></P><P>Does TCP/1723 connect? and GRE is failing? or none are working?</P><P>Have you tried to telnet on port 1723 from the outside towards the public ip address of the ASA firewall?</P><P></P><P>Your static NAT uses the ASA outside interface ip address, can you try to use a spare public ip address that you have instead?</P><P></P><P>You would need to configure the following:</P><P>static (inside,outside) 83.244.x.x 192.168.1.211 netmask 255.255.255.255</P><P></P><P>Then "clear xlate" and test it again. Thanks.</P></BODY></HTML> Thu, 12 Aug 2010 13:04:27 GMT https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467640#M614616 Jennifer Halim 2010-08-12T13:04:27Z https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467641#M614617 <HTML><HEAD></HEAD><BODY><P>Thanks again!</P><P>I cannot put a different public IP address because the firewall is connected to the firewall of the building. In the building firewall is already opened the port 1723 and allowing GRE protocol and forwarded to the outside interface ip address of the Cisco (83.244.*.*)</P><P></P><P>I tried to telnet the ip address on the port 1723 but seems that cannot connect, however, doing a port scanning on that ip address shows the port open.</P><P></P><P>Also, after deleting the static nat, I executed the clear xlate.</P><P></P><P>Thanks a lot!</P><P></P><P>Regards</P></BODY></HTML> Thu, 12 Aug 2010 13:17:03 GMT https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467641#M614617 robertovd 2010-08-12T13:17:03Z https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467642#M614618 <HTML><HEAD></HEAD><BODY><P>I am trying the pptp-ping tool and seems that I am having some problems with the GRE/PPTP packets...</P><P>Will try to first solve this issue</P><P></P><P>Thanks a lot</P></BODY></HTML> Thu, 12 Aug 2010 15:10:56 GMT https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467642#M614618 robertovd 2010-08-12T15:10:56Z https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467643#M614619 <HTML><HEAD></HEAD><BODY><P>Thanks a lot halijenn. I had a problem with the PPTP and GRE traffic. Now it is working fine.</P><P><BR />Regards</P><P><BR />Robert</P></BODY></HTML> Fri, 13 Aug 2010 07:16:32 GMT https://community.cisco.com/t5/network-security/problems-allowing-vpn-connections/m-p/1467643#M614619 robertovd 2010-08-13T07:16:32Z