topic Re: ASA Blocking VPN access in Network Security

ASA Blocking VPN access

Eggzter100 — Mon, 11 Mar 2019 17:33:48 GMT

Hi all,

I've set up a client to site vpn using Windows XP client which works fine when connecting wirelessly via a Vodafone dongle. I have just installed a new ASA 5510 in a brand new branch office network. When connecting through the ASA from the new network, it tries to verify and then I get a 619 error and cannot connect. I have added a rule to the ouside interface coming in. What do I need to do to let it authenticate?

Regards

Egg

Re: ASA Blocking VPN access

Jennifer Halim — Fri, 16 Apr 2010 11:13:02 GMT

What VPN client are you using? Is this IPSec VPN Client or SSL VPN Client? or other type of client (PPTP client)?

Also just want to double check that the VPN connection is passing through the ASA, not terminating on the ASA?

If it's passing through the ASA, and assuming you have configured static NAT, please advise what access-list you have configured to allow access.

Re: ASA Blocking VPN access

Eggzter100 — Fri, 16 Apr 2010 15:12:18 GMT

I'm just using the Windows XP PPTP client passing through the ASA conecting to a Watchguard FireBox. I have configured NAT as type Dynamic, source any, interface outside, address outside. I have set up an access-list (outside incoming) allowing the remote network to the internal network for IP and the default inside any IP to any less secure networks.

Re: ASA Blocking VPN access

Kelvin Willacey — Fri, 16 Apr 2010 15:50:13 GMT

Can you check if inspect pptp is enabled under the global policy map, although I think that maybe if you were connecting to a pptp server on the outside from the inside, and since you have an outside acl then it should work. Try setting the logging level to debug and check the logs to see if anything weird is happening. In any case give the following link a check.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Re: ASA Blocking VPN access

Jennifer Halim — Fri, 16 Apr 2010 22:51:05 GMT

Well, what do you mean by you configure dynamic NAT on the outside? That will not work.

Assuming that the connection is inbound from outside to inside (low to high security level), you would need to configure static translation.

For example:

If your PPTP server ip is 10.1.1.1, and translated to 200.1.1.1, you should configure the following:

static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255

access-list outside permit tcp any host 200.1.1.1 eq 1723

access-group outside in interface outside

Then add "inspect pptp" in your global policy map as KWillacey advised earlier.

Hope that helps.

Re: ASA Blocking VPN access

Eggzter100 — Mon, 19 Apr 2010 08:21:07 GMT

Sorry, to clarify, I'm using ASA ver 8.2(1). I have set up my nat as follows:

nat (inside) 101 0.0.0.0 0.0.0.0

global (outside) 101 interface

Do I need to set up a static nat as well?

Re: ASA Blocking VPN access

Jennifer Halim — Mon, 19 Apr 2010 08:26:06 GMT

Yes, you definitely need a static NAT for the PPTP server.

Re: ASA Blocking VPN access

Eggzter100 — Mon, 19 Apr 2010 09:19:32 GMT

It's a bit slow but all is working now after adding inspect pptp to the global_policy. According to the link posted earlier, you do not need to define a static mapping because the ASA 8.0 now inspects PPTP traffic. You can use PAT or define a static mapping. Thanks for all your help.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Commands to Add for Versions 7.x and 8.0 using inspection

Complete these steps to add commands for versions 7.x and 8.0 using the inspect command:

Add PPTP inspection to the default policy-map using the default class-map.

pixfirewall(config)#policy-map global_policy

pixfirewall(config-pmap)#class inspection_default

pixfirewall(config-pmap-c)#inspect pptp

You do not need to define a static mapping because the PIX now inspects PPTP traffic. You can use PAT.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0

pixfirewall(config)#global (outside) 1 interface

Commands to Add for Versions 7.x and 8.0 using ACL

Complete these steps to add commands for versions 7.x and 8.0 using ACL.

Define the static mapping for the inside PC. The address seen on the outside is 192.168.201.5.

pixfirewall(config)#static (inside,outside) 192.168.201.5  10.48.66.106
                      netmask 255.255.255.255 0 0

Configure and apply the ACL to permit the GRE return traffic from the PPTP server to the PPTP client.

pixfirewall(config)#access-list acl-out permit gre host 192.168.201.25 
                      host 192.168.201.5 
pixfirewall(config)#access-list acl-out permit tcp host 192.168.201.25 
                      host 192.168.201.5 eq 1723

Apply the ACL.

pixfirewall(config)#access-group acl-out in interface outside

Re: ASA Blocking VPN access

Jennifer Halim — Mon, 19 Apr 2010 10:11:23 GMT

Correct for outbound PPTP connection. For inbound PPTP connection, you would still need to configure static NAT.

Re: ASA Blocking VPN access

sateeshk10 — Thu, 17 Jun 2010 15:01:41 GMT

Hi,

Outbound PPTP is not working with below mentioned config..Do I need to add anything apart from this?

pixfirewall(config)#policy-map global_policy

pixfirewall(config-pmap)#class inspection_default

pixfirewall(config-pmap-c)#inspect pptp

Regards

Kumar

Re: ASA Blocking VPN access

Federico Coto Fajardo — Thu, 17 Jun 2010 15:09:04 GMT

Check the notes for PPTP inspection:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1432892

Are you getting any errors?

Federico.

Re: ASA Blocking VPN access

sateeshk10 — Thu, 17 Jun 2010 15:25:35 GMT

Hi,

Thanks for immediate reponse....Where/how to check for errors? r u asking errors are getting on clinet/ASA side..

Regards

kumar

Re: ASA Blocking VPN access

Federico Coto Fajardo — Thu, 17 Jun 2010 15:40:00 GMT

Yes,

You're saying that outbound PPTP is not working through the ASA.

Are you getting any messages either on the client or server side?

Is the PPTP server ''inside'' or ''outside'' the ASA?

Federico.