Solved: Cisco ASA 5505 VPN Help Needed

b_peacock28 · ‎12-19-2012

Hi all.

I am trying to connect to a VPN set up at a remote customer site. However it seems that connections cannot be established from inside my office network. I have tried from other sites and connections can be established. For obvious reasons, this is not a practical solution.

I have run network monitoring within the ASDM at the time of various connection attempts and keep get the following message:

194.75.53.148

regular translation creation failed for protocol 47 src inside:192.168.0.81 dst outside:194.75.53.148

My configuration is below:

ciscoasa# show run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name xxx.local

enable password SpSqlpxlX4bU60eP encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group XXXX

ip address xxx.xxx.xxx.xxx 255.255.255.255 pppoe setroute

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address xxx.xxx.xxx.xxx 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name xxx.local

object-group service DM_INLINE_TCP_1 tcp

port-object eq https

port-object eq smtp

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit tcp any host abc.abc.com object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit tcp any host abc.abc.com eq https

access-list outside_access_in extended permit tcp any host abc.abc.com object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host abc.abc.com eq https

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp abc https abc https netmask 255.255.255.255

static (inside,outside) tcp abc smtp abc smtp netmask 255.255.255.255

static (inside,outside) tcp abc https abc https netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.0.85 255.255.255.255 inside

ssh timeout 5

console timeout 0

vpdn group abc request dialout pppoe

vpdn group abc localname 02024658215@abc

vpdn group abc ppp authentication pap

vpdn username 02024658215@abc password ********* store-local

dhcpd auto_config outside

!

username manager password KDNz8d1FwKy7dzg2 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:27b2bfc3a2fa63ce614199070bd1195f

: end

If I drill down into the error further it says that the ASA is not permitted to let traffic destined for a network or broadcast address through. The traffic is coming back to 192.168.0.81 which is neither of these.

Maybe I am overlooking something simple but any help or guidance would be much appreciated.

Thanks in advance.

Ben Peacock.

Jouni Forss · ‎12-19-2012

Hi,

Try adding the following configuration

policy-map global_policy

class inspection_default

inspect pptp

And then try again.

I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)

- Jouni

View solution in original post

david.tran · ‎12-19-2012

"fixup protocol pptp" or "inspect pptp" will also take care of GRE.

By the way, you can just type "fixup protocol pptp" on the ASA and it will automatically convert it into MPF.

View solution in original post

Jouni Forss · ‎12-19-2012

Hi,

Try adding the following configuration

policy-map global_policy

class inspection_default

inspect pptp

And then try again.

I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)

- Jouni

david.tran · ‎12-19-2012

"fixup protocol pptp" or "inspect pptp" will also take care of GRE.

By the way, you can just type "fixup protocol pptp" on the ASA and it will automatically convert it into MPF.

b_peacock28 · ‎12-19-2012

Adding the inspect pptp syntax in has fixed the problem. I now have access to the VPN from my comfortable office chair.

A big thanks to JouniForss and david.tran for your prompt and concise responses.