cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
680
Views
0
Helpful
4
Replies

unable to connect to VPN server with Port redirection

ghylandcit
Level 1
Level 1

Hi. I am trying to forward traffic to our VPN server. device is an ASA 5505 running v7.2

I have followed these directions from cisco that were taken from the URl:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

I even tried to setup a VPN server on the asa, just to test, using a simple pre-shared key.

Here is my config

dns server-group DefaultDNS

domain-name *-

access-list outside_access_in extended permit gre any host x.x.x.26

access-list outside_access_in extended permit tcp any host x.x.x.26 eq pptp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN 192.168.0.40-192.168.0.45 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) x.x.x.26 192.168.0.20 netmask 255.255.255.255

access-group outside_access_in in interface outside

route inside 192.168.104.0 255.255.255.0 192.168.0.249 1

route inside 192.168.107.0 255.255.255.0 192.168.0.251 1

route outside 0.0.0.0 0.0.0.0 x.x.x.25 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.0.2 192.168.0.3

vpn-tunnel-protocol l2tp-ipsec

default-domain value *.com

username * password privilege 0

username * attributes

vpn-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

address-pool VPN

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

prompt hostname context

Cryptochecksum:xxx

: end

nyhq-asa00#

4 Replies 4

andrew.prince
Level 10
Level 10

Glen,

Are you using PPTP or L2TP?

have you tested it - are there any issues?

Sorry,

Yes I am using PPTP on a microsoft 2003 server setup for VPN. From what I gather, the only two two ports you need to worry about are tcp pptp(1723) and IP GRE(47). I can connect to the server from a computer when i try inside, and it works fine. its just that ports don't seem to be forwarding. I tried to just forward 3389(remote desktop) to another server, and I still had an issue. I have done this succesfully on an older pix, but this is my first time with an ASA.

Your config looks OK - what are the logs on the ASA saying at time of connecting thru to the PPTP server?

Is x.x.x.26 also your outside interface address? If so, change

static (inside,outside) x.x.x.26 192.168.0.20 netmask 255.255.255.255

to

static (inside,outside) interface 192.168.0.20 netmask 255.255.255.255

Review Cisco Networking for a $25 gift card