Cisco Asa 5505 VPN passthrough

bavo · ‎06-17-2014

Hi,

@home i`f installed a Cisco asa 5505 because the provider has the cable modem in transparant mode. So i have the public IP address at my firewall.

Also for training because we have asa`s at work. So i have more feeling with it.

but sometimes i need to build a VPN session to a server at work. But i`m not getting a connection to the server. If i remove the ASA 5505 then the connection to the work server is great. But if de ASA 5505 is back on its place . it is not allowing VPN session to the outside world.

Could someone point me in the right direction?

It is possible to build a VPN connection from outside to the Cisco ASA5505.

Thanks in advanced

Greetings

Palermo

SANTHOSHKUMAR SARAVANAN · ‎06-17-2014

Hi ,

From your Question i can make out you can build PPTP VPN session between your servers . What is your ASA code which is running on your ASA device .

Follow below settings to allow PPTP Session

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/18806-pix-pptp.html

Commands to Add for Versions 7.x and 8.0 using inspection

Complete these steps to add commands for versions 7.x and 8.0 using the inspect command:

Add PPTP inspection to the default policy-map using the default class-map.

pixfirewall(config)#policy-map global_policy

pixfirewall(config-pmap)#class inspection_default

pixfirewall(config-pmap-c)#inspect pptp

You do not need to define a static mapping because the PIX now inspects PPTP traffic. You can use PAT.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0

pixfirewall(config)#global (outside) 1 interface

OR

Commands to Add for Versions 7.x and 8.0 using ACL

Complete these steps to add commands for versions 7.x and 8.0 using ACL.

Define the static mapping for the inside PC. The address seen on the outside is 192.168.201.5.

pixfirewall(config)#static (inside,outside) 192.168.201.5  10.48.66.106
                      netmask 255.255.255.255 0 0

Configure and apply the ACL to permit the GRE return traffic from the PPTP server to the PPTP client.

pixfirewall(config)#access-list acl-out permit gre host 192.168.201.25 
                      host 192.168.201.5 
pixfirewall(config)#access-list acl-out permit tcp host 192.168.201.25 
                      host 192.168.201.5 eq 1723

Apply the ACL.


pixfirewall(config)#access-group acl-out in interface outside

HTH

Sandy

bavo · ‎06-17-2014

Hi SANTHOSHKUMAR S,

I used the follwing command from Seb Rupik

!
class-map inspection_default
  match default-inspection-traffic
!
policy-map global_policy
  class inspection_default
    inspect pptp
!
service-policy global_policy global
!

But i`m learning alot from all the help. Thanks for helping me. :-)

Greetings

Palermo

bavo · ‎06-18-2014

Hi,

I`m looking into the document you gave me. Because i did not understand the reason that the PPTP connection could not be established. I was thinking all the time :-).

I was thinking that the "statefull" function should be kicking in here. because i was setting up the VPN from inside the network. So the connection should return with no problem right!!!?

In the document i found this:

!

Because the PPTP connection is initiated as TCP on one port and the response is GRE protocol, the PIX Adaptive Security Algorithm (ASA) does not know that the traffic flows are related. As a result, it is necessary to configure ACLs to allow the return traffic into the PIX

!

Now i understand that it initiate the VPN via TCP session. But the return traffic from the server is a differed protocol (GRE) and therfore the stafull function is not working and the session is block.

This inspect function does network..

Am i thinking right this way..

Greetings

Palermo