Can't connect to two separate VPN's behind ASA5505

[ColdFlame]

Hi all,

I have two ongoing problems since we switched our firewall to a Cisco ASA5505 Series. The device has a VPN built-in and using the Cisco VPN client connecting from outside it works just fine.

The issue is this:

I have a few users in my network that need to connect to remote VPN's to perform maintenance at plant sites, etc...

Scenario 1)

User is using Nortel Contivity client. The client initiates the connection and then seems to fail after having verified banner text. (Appears to be that way anyway).

Scenario 2)

Installed a Linksys RV082 at a remote site so that my EIC group can remotely connect to its VPN using Linksys' QuickVPN software, establish access to the internal network there, and SSH into the PLC equipment. This fails at "Establishing network".

Unfortunately my ISP manages our ASA device, and I have submitted to them as many ideas as I could to get the correct ports open, but obviously I am missing something.

Can you help me with what I need to look for specifically? I presume one particular port is blocked and that's where things are hanging up, but I can't be certain. Any help you can give me would be GREATLY appreciated.

Regards,

ColdFlame

 

[brianinms]

You need to have them open pptp and protocol 47 which is GRE. Its not that the port is blocked, its just not open. I mean its called a firewall for a reason.

 

[ColdFlame]

Hi brianinms,

Well, I eventually broke down and phoned Linksys technical support again (3rd time). Everytime I phone I seem to get new ports to open. My firewall is going to start looking like swiss cheese soon.

Out of my three phone calls, they have asked me to open Ports 47-50 inclusive, Port 500, Port 1723, and Port 443. When I asked if it was TCP or UDP, they said if I have the option, choose "Both". So I did and still nothing.

If I'm not mistaken, 1723 is PPTP, so that one should be ok. Any other thoughts? I'm frustrated, confused, and getting angry at both Linksys and my service provider because either I'm not getting the correct info from Linksys or my provider isn't opening the correct ports when asked.

Thanks in advance again,

ColdFlame

 

[brianinms]

Ports 47-50 should probably be protocols 47-50. and yes pptp is 1723. Without seeing a copy of your configuration its hard to say where the problem lies.

 

[ColdFlame]

access-list inside_access_in line 1 extended permit icmp 10.0.0.0 255.0.0.0 any (hitcnt=24415) 0x25b41928
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any object-group tcp_grp01 0x9d1a2e29
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq 26000 (hitcnt=0) 0x2c5aec49
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq 5223 (hitcnt=0) 0x8bec4c9b
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq 8080 (hitcnt=3673) 0x66c7237b
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq domain (hitcnt=4473) 0x2450b9ce
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq ftp (hitcnt=1744) 0xc482ca45
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq

http://www (hitcnt=23183913)

0x8767da2e
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq https (hitcnt=1870796) 0xbfc6e965
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq lotusnotes (hitcnt=5) 0x3f9402d7
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq pop3 (hitcnt=7806) 0x3711a7a1
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq smtp (hitcnt=185044) 0x5a32280d
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq 12345 (hitcnt=0) 0xa3ebbd4f
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq 3389 (hitcnt=330) 0x7c6a62e7
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq 3724 (hitcnt=7) 0x168bdddc
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq 4242 (hitcnt=3900) 0xc3eb85cb
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq 444 (hitcnt=4) 0x9bb9c7fc
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any eq 7000 (hitcnt=30494) 0x967360a
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any range 1718 h323 (hitcnt=24) 0x9f49d572
access-list inside_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 any range 3100 3107 (hitcnt=60) 0xe5212e58
access-list inside_access_in line 3 extended permit udp 10.0.0.0 255.0.0.0 any object-group udp_grp01 0xa61cf25a
access-list inside_access_in line 3 extended permit udp 10.0.0.0 255.0.0.0 any eq 12345 (hitcnt=0) 0x9cb6585a
access-list inside_access_in line 3 extended permit udp 10.0.0.0 255.0.0.0 any eq 33333 (hitcnt=0) 0x67542b2e
access-list inside_access_in line 3 extended permit udp 10.0.0.0 255.0.0.0 any eq domain (hitcnt=15967794) 0x10c5d5d8
access-list inside_access_in line 3 extended permit udp 10.0.0.0 255.0.0.0 any eq ntp (hitcnt=36793) 0x165e3e40
access-list inside_access_in line 3 extended permit udp 10.0.0.0 255.0.0.0 any eq 1755 (hitcnt=0) 0xd82a14c0
access-list inside_access_in line 4 extended permit esp 10.0.0.0 255.0.0.0 any (hitcnt=256) 0xa745fb99
access-list inside_access_in line 5 extended permit udp 10.0.0.0 255.0.0.0 any eq isakmp (hitcnt=258) 0xef366c75
access-list inside_access_in line 6 extended permit tcp 10.0.0.0 255.0.0.0 any eq lotusnotes (hitcnt=0) 0x3f9402d7
access-list inside_access_in line 7 extended permit udp 10.0.0.0 255.0.0.0 any eq 1352 (hitcnt=4) 0xd272b9d
access-list inside_access_in line 8 extended permit tcp 10.0.0.0 255.0.0.0 any eq 50 (hitcnt=0) 0x8c857d6a
access-list inside_access_in line 9 extended permit udp 10.0.0.0 255.0.0.0 any eq 4500 (hitcnt=120) 0x89cbe5eb
access-list inside_access_in line 10 extended permit tcp 10.0.0.0 255.0.0.0 any eq pptp (hitcnt=0) 0x217201aa
access-list inside_access_in line 11 extended permit udp 10.0.0.0 255.0.0.0 any eq 1723 (hitcnt=0) 0x43e1c070
access-list inside_access_in line 12 extended permit ah 10.0.0.0 255.0.0.0 any (hitcnt=0) 0x98d9e1fd
access-list inside_access_in line 13 extended permit udp 10.0.0.0 255.0.0.0 any eq 10001 (hitcnt=2) 0x89689711
access-list inside_access_in line 14 extended permit gre 10.0.0.0 255.0.0.0 any (hitcnt=0) 0xa47b97b2

Since then, I've had them open Protocols 47, 48, 49, and 50. I've also had them open Port 60443 for both TCP and UDP per Linksys' last set of instructions.

Is there something else you need to see?

Thanks again,

ColdFlame

 

[brianinms]

An access-list is no good without a static.

Here is cisco's guide on getting pptp working through an ASA. In all honesty if the provider who is managing your firewall hasnt figured it out on their own you may want to look elsewhere.

http://www.cisco.com/en/US/products...s_configuration_example09186a0080094a5a.shtml

 

[ColdFlame]

Hi Brian,

Under no circumstances am I able to switch providers, otherwise I might have considered that option.

I didn't paste everything in my firewall config as I thought that the access-list would tell you what you needed to know. Besides which, I wasn't 100% certain what I should be posting on here for fear of giving too much away.

Thanks,

CF