topic Re: ASA 5510 not allowing PPTP traffic from inside device to ext in Network Security

ASA 5510 not allowing PPTP traffic from inside device to external server

graham.fleming — Tue, 26 Mar 2019 00:41:57 GMT

Hey Guys,

So I've tried everything to get this to work with no joy. I'm hoping someone out here can help me.

Essentially we have inside clients running XP and Vista using the PPTP client to connect to a VPN server outside. The connections always fail (but are successful from other networks).

The log entries are:

4 Jan 26 2009 11:41:40 713903 IP = 216.13.201.234, Information Exchange processing failed

5 Jan 26 2009 11:41:40 713904 IP = 216.13.201.234, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

3 Jan 26 2009 11:41:40 106100 192.168.111.66 216.13.201.234 access-list Inside_access_in permitted tcp Inside/192.168.111.66(1375) -> Outside/216.13.201.234(1723) hit-cnt 1 first hit [0x7001adbb, 0xeac55bde]

4 Jan 26 2009 11:39:24 713903 IP = 216.13.201.234, Error: Unable to remove PeerTblEntry

3 Jan 26 2009 11:39:24 713902 IP = 216.13.201.234, Removing peer from peer table failed, no match!

4 Jan 26 2009 11:38:52 713903 IP = 216.13.201.234, Information Exchange processing failed

Please see the attached running config.

Thanks guys!

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

Ivan Martinon — Mon, 26 Jan 2009 20:47:20 GMT

By other networks, you mean other networks behind the ASA or other networks outside the ASA? Go ahead and increase the log on your ASA since it does not show that there is something wrong on the specific log.

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

graham.fleming — Mon, 26 Jan 2009 20:48:45 GMT

By other networks I mean other networks not behind the ASA.

And that log output is showing all log messages up to level 7. Are you sure those messages on the log output aren't problematic?

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

Ivan Martinon — Mon, 26 Jan 2009 20:51:31 GMT

The only log that shows reference to a PPTP connection is the following:

The rest of the lines are related to a vpn connection not being established.

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

graham.fleming — Mon, 26 Jan 2009 20:54:53 GMT

Those messages all appear with the connection attempt, though. They aren't a separate issue. Everytime the client tries to connect, those 5 messages appear in the log.

Should I try turning off PPTP inspection maybe?

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

Ivan Martinon — Mon, 26 Jan 2009 21:00:39 GMT

I don't think you should do that, do you recognize this ip address 216.13.201.234? is that the server's ip address?

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

graham.fleming — Mon, 26 Jan 2009 21:07:15 GMT

Yes, that's the server IP.

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

Ivan Martinon — Mon, 26 Jan 2009 21:13:29 GMT

Odd..Does this happen to all the clients that try this connection behind this ASA? It seems as if the ASA was intercepting this connection and using it for itself, can you try again this connection and while doing this go ahea and get the "show conn " and "show local-host " when this occur?

Client ip is the workstation ip address you are trying from.

If possible go ahead and remove the Crypto map from outside interface while trying this too.

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

sdoremus33 — Mon, 26 Jan 2009 21:14:09 GMT

What I think is happening is you have the following config for Nat cntrl

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 access-list Inside_nat_outbound

nat (management) 101 0.0.0.0 0.0.0.0

and with this statement

access-list Outside_access_in extended permit tcp any host access-list Outside_access_in extended permit tcp any host 216.13.201.234 eq pptp

basically permits any outside (src) traffic to access the dst 216.13.201.234, but then your static

static (Inside,Outside) tcp interface pptp 192.168.111.224 pptp netmask 255.255.255.255

is using the interface as outside address to 192.168.111.224, and the rproblem is that the interface ip address is noy in the same subnet as your destination address

Interface address = 216.13.219.142 255.255.255.248 while your acl dst is 216.13.201.234.HTH

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

graham.fleming — Mon, 26 Jan 2009 22:04:00 GMT

Thanks for this info. Wouldn't

static (Inside,Outside) tcp interface pptp 192.168.111.224 pptp netmask 255.255.255.255

be used for incoming PPTP connections to .224?

We are concerned with outgoing connections here to external PPTP servers. I removed that static NAT with no change.

Any other suggestions?

Thank you!!

Re: ASA 5510 not allowing PPTP traffic from inside device to ext

sdoremus33 — Tue, 27 Jan 2009 03:30:07 GMT

My apologies, I misread the post and thought this issue was with incoming connections to .224