Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
4
Replies

Trouble with PPTP connection

Scott Morris
Level 1
Level 1

‎04-04-2016 01:47 PM

I'm having trouble allowing a PPTP VPN through an ASA 5505.

Result of the command: "show ver"

Cisco Adaptive Security Appliance Software Version 9.2(3)
Device Manager Version 7.3(2)


I have setup Windows Server 2012 R2 as a VPN server and am having trouble getting traffic through the ASA

I prefer to use the ASDM, as I'm not fluent with the CLI yet.

I've setup a network object for my server with a static NAT to the external address of the VPN (see serverobject.png)

I've setup 2 outside ACL rules: 1 for the GRE protocol, 1 for the tcp\pptp port (see acl.png)

When I try to connect via a Windows 10 system I get the error seen in error.png

I've enabled PPTP passthrough (see policy.png)

When I try connecting, it looks like it passes the initial packet, but the reply is getting blocked (see syslog.png).
This one is weird to me, because the denied packet references my DMZ interface (highlighted). This traffic shouldn't be touching my DMZ interface, it should be in the inside and outside interfaces being used.

Not sure what I'm doing wrong, any ideas?

Labels:
Preview file
13 KB
Preview file
10 KB
Preview file
16 KB
Preview file
29 KB
Preview file
11 KB
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-04-2016 06:58 PM

It is not clear from the screen shot, but you need to allow TCP/1723 and GRE (IP Protocol 47) into the server.

0 Helpful

Scott Morris
Level 1
Level 1
In response to Philip D'Ath

‎04-05-2016 05:45 AM

Thank you for the reply, Philip.

Are you referring to the ACL I have set on the outbound interface? If so, see screenshots gre and protocol. I use groups for protocols and services in case I ever need to add/remove/change them.

If I need another ACL, can you help point me in the right direction?

If you're referring to the server's firewall, it's turned off right now until I get this working. Once I get through the ASA I'll get the server firewall configured.

Preview file
9 KB
Preview file
11 KB
0 Helpful

Scott Morris
Level 1
Level 1

‎04-05-2016 07:53 AM

In looking at the syslog, I looked further into why the reply was coming from the DMZ interface. I discovered that the server was replying from that NIC for some reason. When I disabled that interface, it replied on the correct interface, and I was able to connect to the VPN; thus, the ASA is doing what I need, so this issue is solved.

Thanks all!

0 Helpful

Henrik Grankvist
Level 4
Level 4

‎04-20-2016 01:25 AM

Hi

It is impossible to see what is the problem looking at pictures. Could you post the CLI configuration instead. If you don't want to show the whole config you can show "show run nat", "show access-list", "sh run access-group", "show arp", "show route", "show inte ip br" and "show nameif".

0 Helpful
Customers Also Viewed These Support Documents