Solved: Microsoft VPN client and GRE

bapatsubodh · ‎05-30-2012

Hello,

Trying to access Microsoft VPN (on the internet-outside zone) server from Microsoft VPN client (inside zone)

On ASA - allowed all outbound traffic from inside to outside-internet and all traffic is blocked from internet-outside to internet.

VPN client seems to be not working in this case. When firewall was bypased Microsoft VPN client got connected to Remote Microsoft VPN server.

Do we need to enable GRE from outside to inside for this work? ( along with corresponding static NAT entry for the remote Microsoft VPN server)

Microsoft tech support document did mention about permitting GRE through firewall but it's not stating any direction.

Please share the experience.

Thanks in advance

Subodh

Jennifer Halim · ‎05-31-2012

Yes, once the inspection is enabled for PPTP, ASA will automatically open hole for GRE as per stated in the documentation advised earlier.

View solution in original post

Jennifer Halim · ‎05-30-2012

Please enable "inspect pptp" that would allow the GRE connection.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718

bapatsubodh · ‎05-31-2012

Thanks for the link.

So when we enable the inspection for PPTP (similar to other protocols those are already configured for inspection) will the ASA permit the GRE traffic to cross from outside to inside?

As wireshark-packetcapture shows first GRE packet coming from the Microsoft VPN server to the client indicating that ------- "Server is initiating the GRE connection".

Please advice.

Thanks in advance.

Cheers!

S.

Jennifer Halim · ‎05-31-2012

Yes, once the inspection is enabled for PPTP, ASA will automatically open hole for GRE as per stated in the documentation advised earlier.