Showing results for 
Search instead for 
Did you mean: 

ASA 5505 first configuration - no connection with external VPN


I'm on my first configuration of a Cisco firewall. I'm trying ASA 5505 using Cisco ASDM 5.2 (not GUI). I configured Vlan1 (inside) and Vlan2(outside) and all seems to work correctly. Network clients can use Internet and ping internal LAN. But I've some problems with vpn and other services: 1. when I try to connect to external VPN server the connection procedure stopped in username/password validation (if I try directly, without firewall ASA, there's no problem) 2.I've problems also to see external security cam working trough a web server.

I open port 1723 - 500 and GRE. What can I do more? Thank's all.

ah! this is Cisco ASDM Syslog error message:

Syslog message

3|Jan 29 2010|10:07:20|305006|||regular translation creation failed for protocol 47 src inside: dst outside:

Result of the command: "show startup-config"

: Saved

: Written by enable_15 at 18:37:26.964 UTC Thu Jan 28 2010


ASA Version 7.2(4)


hostname ciscoasa

domain-name default.domain.invalid

enable password UqJHTo7.2sANHB7y encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit tcp any eq pptp eq pptp

access-list outside_access_in extended permit udp any eq isakmp eq isakmp

access-list outside_access_in extended permit gre any

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit esp any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd option 3 ip

dhcpd option 6 ip


dhcpd address inside

dhcpd enable inside



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp


service-policy global_policy global

prompt hostname context



Re: ASA 5505 first configuration - no connection with external V

Hi Simone

1. if you're using outbound vpn (ipsec) to a headend located in the internet you'll need to open udp 500 for isakmp and udp 4500 for nat-t and IPsec over TCP will be using tcp 10000 if cisco is used.

2. you'll need to add the following to your mpf configuration:

policy-map global_policy
class inspection_default
  inspect ipsec-pass-thru

this will guarantee to let you ESP (protocol 50) to pass the ASA, also known as native IPsec.

3. I'm assuming that you have to setup your NAT or PAT stuff in the right manner. Configure your NAT like below, if you want to present an internal server to the outside world:

static (inside,outside) outsideip insideip netmask 0 0 -> for static nat

static (inside,outside) interface insideip netmask 0 0 -> for static pat

4. use ipsec instead of pptp, since the cisco vpn client is free and much more secure!

hope this helps




Re: ASA 5505 first configuration - no connection with external V

Thanks, I'll try your solution next Monday. Now I send you two additions:

1. I've configured NAT as dynamic (for future use I'll probably configure static NAT for VPN server)

2. I nedd to connect to evrey PPTP or IPSec external VPN e probably there are not Cisco Router (Dlink, I think)



Re: ASA 5505 first configuration - no connection with external V

Ok, now it works!

I simply add flag on PPTP in Security Policy > Server policy rule > Rule action (when you edit the policy.

Now I try to create a VPN server, so ... I think I'll need more help. Bye


ASA 5505 first configuration - no connection with external VPN


You have to allow PPTP inspection in your default policy group.

  • myasa(config)#policy-map global_policy
  • myasa(config-pmap)#class inspection_default
  • myasa(config-pmap-c)#inspect pptp