Solved: Cisco ASA 5505 VPN connection. single user

smith606306 · ‎08-24-2011

A user needs to be allowed through the Cisco ASA 5505 firewall to make a VPN connection to 83.1.**.** address on port 1723. Can anyone help me with this.

Below is the config:

ASA Version 7.2(4)
!
command-alias exec crs copy run start
hostname FSCOGLA5505-0001-1
enable password ****** encrypted
passwd 3******* encrypted
names
!
interface Vlan2
nameif outside
security-level 0
ip address 87.188.***.** 255.255.255.248
!
interface Vlan300
nameif Management
security-level 100
ip address 10.123.111.74 255.255.255.240
!
interface Vlan325
nameif inside
security-level 100
ip address 10.123.106.254 255.255.255.128

!
interface Ethernet0/0
shutdown

interface Ethernet0/1
description Outside interface to BT router
switchport access vlan 2
!
interface Ethernet0/2
description Inside interface to Core 2
switchport access vlan 325
!
interface Ethernet0/3
switchport access vlan 325
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
description Management interface
switchport access vlan 300
!
interface Ethernet0/7

banner motd
banner motd ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!!
banner motd This is a privately owned computing system.
banner motd Access is permitted only by authorized employees or agents of the co
mpany.
banner motd The system may be used only for authorized company business.
banner motd Company management approval is required for all access privileges.
banner motd This system is equipped with a security system intended to prevent a
nd
banner motd record unauthorized access attempts.
banner motd Unauthorized access or use is a crime under the law.
banner motd
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS

access-list inside_mpc extended permit tcp any any eq 8080
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 1723
access-list inside_mpc extended permit tcp any any eq 47
access-list dhcp-acl extended permit udp any any range bootps bootpc
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging monitor informational
logging buffered informational
logging asdm informational
mtu outside 1500
mtu Management 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 300

global (outside) 1 interface
nat (inside) 1 10.123.106.128 255.255.255.128
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 87.18*.**.** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 Management

ssh timeout 5
console timeout 0
dhcpd dns
dhcpd lease 84600
!
dhcpd address 10.123.106.140-10.123.106.200 inside
dhcpd enable inside
ntp server 10.127.255.125 source inside prefer
ntp server 10.127.255.124 source inside
username admin password tSeVn/Rs11O2nX2W encrypted privilege 15
!
class-map type regex match-any DomainBlockList

class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map httptraffic
match access-list inside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class BlockDomainsClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect pptp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:befd62e63bf1799599efc9ae39974f87
: end

!

varrao · ‎08-25-2011

Yes, you can because i dont see a purpose for it, you can atleast take the one that you have for port 1723 and 47.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-24-2011

Are you trying to do a P*TP passthrough the firewall?? Is the PPTP server behind the firewall, if yes, then this is all that you need:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Hope this is what you were loolking for.

Thanks,

Varun

Thanks,
Varun Rao

smith606306 · ‎08-24-2011

The user is behind the firewall and the server is at a remote office

varrao · ‎08-24-2011

Then this is what you would need:

Add PPTP inspection to the default policy-map using the default class-map.

pixfirewall(config)#policy-map global_policy

pixfirewall(config-pmap)#class inspection_default

pixfirewall(config-pmap-c)#inspect pptp

You do not need to define a static mapping because the PIX now inspects PPTP traffic. You can use PAT.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0

pixfirewall(config)#global (outside) 1 interface

OR

Commands to Add for Versions 7.x and 8.0 using ACL

Complete these steps to add commands for versions 7.x and 8.0 using ACL.

Define the static mapping for the inside PC. The address seen on the outside is 192.168.201.5.

pixfirewall(config)#static (inside,outside) 192.168.201.5  10.48.66.106
                      netmask 255.255.255.255 0 0

Configure and apply the ACL to permit the GRE return traffic from the PPTP server to the PPTP client.

pixfirewall(config)#access-list acl-out permit gre host 192.168.201.25 
                      host 192.168.201.5 
pixfirewall(config)#access-list acl-out permit tcp host 192.168.201.25 
                      host 192.168.201.5 eq 1723

Apply the ACL.

pixfirewall(config)#access-group acl-out in interface outside

Let me knwo if this not working.

-Varun

Thanks,
Varun Rao

smith606306 · ‎08-24-2011

I have done the following and still doesn't work

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect pptp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

global (outside) 1 interface

nat (inside) 1 10.123.106.128 255.255.255.128

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 87.18*.**.** 1

varrao · ‎08-24-2011

Then we might need to troubleshoot the issue and chcek where the packets are getting lost on the firewall, for that we would need to take simaltaneous logs and captures on the ASA. You can refer to this for taking captures on the ASA:

https://supportforums.cisco.com/docs/DOC-1222

Also can you take an output of this:

packet-tracer input inside tcp 23456 1723 detailed

This can also help identifying the issue.

Thanks,

Varun

Thanks,
Varun Rao

smith606306 · ‎08-25-2011

Hi Varun,

Done the packet tracer test

FSCOGLA5505-0001-1# packet-tracer input inside tcp 10.123.106.152 23456 83.1.**.**

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3b5ffa0, priority=1, domain=permit, deny=false
        hits=30679723, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3b62828, priority=0, domain=permit-ip-option, deny=true
        hits=2554357, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: inspect-http

Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4030b00, priority=72, domain=inspect-http, deny=false
        hits=76, user_data=0x3fae2a8, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=1723, dscp=0x0

Phase: 6
Type: INSPECT
Subtype: inspect-pptp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4036ab8, priority=70, domain=inspect-pptp, deny=false
        hits=62, user_data=0x40a6fd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=1723, dscp=0x0

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.123.106.128 255.255.255.128
match ip inside 10.123.106.128 255.255.255.128 outside any
    dynamic translation to pool 1 (86.**.**.** [Interface PAT])
    translate_hits = 2373331, untranslate_hits = 1205256
Additional Information:
Dynamic translate 10.123.106.152/23456 to 86.**.**.**/41948 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0x3bc1d40, priority=1, domain=nat, deny=false
        hits=2376982, user_data=0x3bc1cd0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.123.106.128, mask=255.255.255.128, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.123.106.128 255.255.255.128
match ip inside 10.123.106.128 255.255.255.128 outside any
    dynamic translation to pool 1 (86.**.**.**) [Interface PAT])
    translate_hits = 2373350, untranslate_hits = 1205299
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3bc2020, priority=1, domain=host, deny=false
        hits=2572281, user_data=0x3bc1cd0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.123.106.128, mask=255.255.255.128, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x3b00488, priority=0, domain=permit-ip-option, deny=true
        hits=1153752, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2560715, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_punt
snp_fp_punt
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_punt
snp_fp_punt
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 11
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 86.**.**.** using egress ifc outside
adjacency Active
next-hop mac address 68bd.abbd.9c81 hits 7385

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

varrao · ‎08-25-2011

Hi Andrew,

Thanks for the info, configuration wise everything is correct. Did you try the captures as well?? Wat were the results.

Thanks,

Varun

Thanks,
Varun Rao

smith606306 · ‎08-25-2011

I havent had a chance yet could i try adding the server IP addresses to the access list?

access-list inside_mpc extended permit tcp any any eq 8080

access-list inside_mpc extended permit tcp any any eq www

access-list inside_mpc extended permit tcp any any eq 1723

access-list inside_mpc extended permit tcp any any eq 47

access-list dhcp-acl extended permit udp any any range bootps bootpc

varrao · ‎08-25-2011

Hi Andrew,

Can you let me know the purpose for these access-list, I can see that they are being used in inspecting the http traffic but is there any real purpose why you have it?? You woudl not need any access-list for the pptp connection since it is being established from a higher interface to lower interface.

Thanks,

Varun

Thanks,
Varun Rao

smith606306 · ‎08-25-2011

They were already in the config. Shall i just take it out

varrao · ‎08-25-2011

Yes, you can because i dont see a purpose for it, you can atleast take the one that you have for port 1723 and 47.

Thanks,

Varun

Thanks,
Varun Rao

smith606306 · ‎08-25-2011

Thanks it is now working. i removed those commands frm the access list

varrao · ‎08-25-2011

Hey thats great Andrew, glad it worked for you

Thanks,

Varun

Thanks,
Varun Rao