Solved: PPTP pass thru issue (ASA 5550).

laerciotobias · ‎04-27-2011

Hi, we are not abble to connect to a outside PPTP vpn server;

The scenario is this :

Connections are started from inside netwok to a VPN server on the outside zone.

I have add these configs and still not working.

policy-map global_policy
class inspection_default

inspect pptp

i also have a acess-list for it.

access-list inside_access_in extended permit tcp object inside-network any eq pptp
access-list inside_access_in extended permit gre object inside-network any

access-group inside_access_in in interface inside

I am missing something or this is all configs i have to get done ?

Thanks.

Maykol Rojas · ‎04-27-2011

Hi,

The static is just for testing purposes, where you able to get the logs? If we see that the GRE packets are being dropped, then there is definetly something wrong with the inspection, if not, it means that there may be something wrong with the server/client config, have you tried to connect to that server from another location?

Cheers

Mike

View solution in original post

Maykol Rojas · ‎04-27-2011

Hi,

Can you collect the logs? Also, would you please send us the output of the show service-policy? If you have another free IP, can you please set an static one to one and try?

Cheers

Mike.

Mike

laerciotobias · ‎04-27-2011

Mike this is something that i am not following, since we have PAT in place and all services run fine why do we need a static nat and the need to use other valid internet address ?

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 11183, drop 0, reset-drop 0
      Inspect: ftp, packet 0, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 5, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 4, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
      Inspect: icmp, packet 20698, drop 0, reset-drop 0
      Inspect: pptp, packet 219, drop 0, reset-drop 0

Thank you.

Maykol Rojas · ‎04-27-2011

Hi,

The static is just for testing purposes, where you able to get the logs? If we see that the GRE packets are being dropped, then there is definetly something wrong with the inspection, if not, it means that there may be something wrong with the server/client config, have you tried to connect to that server from another location?

Cheers

Mike

laerciotobias · ‎04-27-2011

I think the config is all there, i think its somwthing wrong with the server now.

This is all configs we should setup right ?

Maykol Rojas · ‎04-27-2011

Hello,

Thats pretty much it. Totally should work with PAT with the inspection turned on:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#maintask1

If you have any questions, please feel free to let me know. Thanks for marking the question as answered

Cheers

Mike.

Mike