Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
4
Replies

unable to connect to VPN server with Port redirection

ghylandcit
Level 1
Level 1

‎08-19-2008 11:33 AM - edited ‎03-11-2019 06:33 AM

Hi. I am trying to forward traffic to our VPN server. device is an ASA 5505 running v7.2

I have followed these directions from cisco that were taken from the URl:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

I even tried to setup a VPN server on the asa, just to test, using a simple pre-shared key.

Here is my config

dns server-group DefaultDNS

domain-name *-

access-list outside_access_in extended permit gre any host x.x.x.26

access-list outside_access_in extended permit tcp any host x.x.x.26 eq pptp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN 192.168.0.40-192.168.0.45 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) x.x.x.26 192.168.0.20 netmask 255.255.255.255

access-group outside_access_in in interface outside

route inside 192.168.104.0 255.255.255.0 192.168.0.249 1

route inside 192.168.107.0 255.255.255.0 192.168.0.251 1

route outside 0.0.0.0 0.0.0.0 x.x.x.25 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.0.2 192.168.0.3

vpn-tunnel-protocol l2tp-ipsec

default-domain value *.com

username * password privilege 0

username * attributes

vpn-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

address-pool VPN

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

prompt hostname context

Cryptochecksum:xxx

: end

nyhq-asa00#

Labels:
0 Helpful
4 Replies 4

andrew.prince
Level 10
Level 10

‎08-20-2008 01:16 AM

Glen,

Are you using PPTP or L2TP?

have you tested it - are there any issues?

0 Helpful

ghylandcit
Level 1
Level 1
In response to andrew.prince

‎08-20-2008 05:56 AM

Sorry,

Yes I am using PPTP on a microsoft 2003 server setup for VPN. From what I gather, the only two two ports you need to worry about are tcp pptp(1723) and IP GRE(47). I can connect to the server from a computer when i try inside, and it works fine. its just that ports don't seem to be forwarding. I tried to just forward 3389(remote desktop) to another server, and I still had an issue. I have done this succesfully on an older pix, but this is my first time with an ASA.

0 Helpful

andrew.prince
Level 10
Level 10
In response to ghylandcit

‎08-20-2008 06:21 AM

Your config looks OK - what are the logs on the ASA saying at time of connecting thru to the PPTP server?

0 Helpful

acomiskey
Level 10
Level 10
In response to andrew.prince

‎08-20-2008 07:19 AM

Is x.x.x.26 also your outside interface address? If so, change

static (inside,outside) x.x.x.26 192.168.0.20 netmask 255.255.255.255

to

static (inside,outside) interface 192.168.0.20 netmask 255.255.255.255

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card