12-19-2012 03:54 AM - edited 03-11-2019 05:39 PM
Hi all.
I am trying to connect to a VPN set up at a remote customer site. However it seems that connections cannot be established from inside my office network. I have tried from other sites and connections can be established. For obvious reasons, this is not a practical solution.
I have run network monitoring within the ASDM at the time of various connection attempts and keep get the following message:
194.75.53.148 | regular translation creation failed for protocol 47 src inside:192.168.0.81 dst outside:194.75.53.148 |
My configuration is below:
ciscoasa# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name xxx.local
enable password SpSqlpxlX4bU60eP encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group XXXX
ip address xxx.xxx.xxx.xxx 255.255.255.255 pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.local
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host abc.abc.com object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host abc.abc.com eq https
access-list outside_access_in extended permit tcp any host abc.abc.com object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host abc.abc.com eq https
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp abc https abc https netmask 255.255.255.255
static (inside,outside) tcp abc https abc https netmask 255.255.255.255
static (inside,outside) tcp abc smtp abc smtp netmask 255.255.255.255
static (inside,outside) tcp abc https abc https netmask 255.255.255.255
static (inside,outside) tcp abc https abc https netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.85 255.255.255.255 inside
ssh timeout 5
console timeout 0
vpdn group abc request dialout pppoe
vpdn group abc localname 02024658215@abc
vpdn group abc ppp authentication pap
vpdn username 02024658215@abc password ********* store-local
dhcpd auto_config outside
!
username manager password KDNz8d1FwKy7dzg2 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:27b2bfc3a2fa63ce614199070bd1195f
: end
If I drill down into the error further it says that the ASA is not permitted to let traffic destined for a network or broadcast address through. The traffic is coming back to 192.168.0.81 which is neither of these.
Maybe I am overlooking something simple but any help or guidance would be much appreciated.
Thanks in advance.
Ben Peacock.
Solved! Go to Solution.
12-19-2012 04:03 AM
Hi,
Try adding the following configuration
policy-map global_policy
class inspection_default
inspect pptp
And then try again.
I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
- Jouni
12-19-2012 04:24 AM
"fixup protocol pptp" or "inspect pptp" will also take care of GRE.
By the way, you can just type "fixup protocol pptp" on the ASA and it will automatically convert it into MPF.
12-19-2012 04:03 AM
Hi,
Try adding the following configuration
policy-map global_policy
class inspection_default
inspect pptp
And then try again.
I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
- Jouni
12-19-2012 04:24 AM
"fixup protocol pptp" or "inspect pptp" will also take care of GRE.
By the way, you can just type "fixup protocol pptp" on the ASA and it will automatically convert it into MPF.
12-19-2012 07:34 AM
Adding the inspect pptp syntax in has fixed the problem. I now have access to the VPN from my comfortable office chair.
A big thanks to JouniForss and david.tran for your prompt and concise responses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide