Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 525 to ASA 5510 Conversion - PPTP VPN Problem

Status
Not open for further replies.
hitdrum

hitdrum

IS-IT--Management
Jan 25, 2007
10
0
0
US
I am converting a Pix 525 to ASA5510 and have the ASA up and running. I have one issue related to VPN connection. Until I can configure SSL VPN on the ASA and train users how to use it I need maintain the PPTP connectivity for users. I think from what I have read have moved the config over but still can't get connected via vpn. The vpn is terminated on a MS RRAS server and access granted based on AD group membership and so with the pix I just forwarded the ports with a static mapping to the internal address of the server with the same being true for the required gre protocol. With the ASA in place and the same static mapping and port forwarding in place I cannot establish a vpn connection. I would very much appreciate the assistance of a more experienced Cisco eye. I have included the scrubbed configs of both the old pix an the new asa. I know there are some differences in NAT etc when I move to 8.4 on the asa but seems like I am missing something on the pptp/fixup side of things too.

Thanks in advance for any assistance.



### Old Pix Config ###

I added ** at the beginning of the lines that apply to vpn connectivity

Cisco PIX Firewall Version 6.3(3)

clock timezone CST 0
clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
** fixup protocol pptp 1723
fixup protocol rsh 514
no fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 12.ex.ex.2 xxxx
name 207.ex.ex.8 xxxxx2
name 65.ex.ex.8 xxxxx1
name 63.ex.ex.81 xxxxx
name 74.ex.ex.162 xxxxxxx
object-group service WinMedia udp
port-object range 1024 5000
object-group service SQL tcp-udp
port-object range 1433 1434
object-group service d_Mgmt tcp
port-object eq ssh
port-object eq 5432
port-object range 5959 5963
port-object eq 9099
port-object eq 8080
port-object eq 8443


access-list from-outside-in permit tcp any host 209.ex.ex.3 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.3 eq ftp
** access-list from-outside-in permit tcp any host 209.ex.ex.3 eq pptp
** access-list from-outside-in permit gre any host 209.ex.ex.3
access-list from-outside-in permit tcp any host 209.ex.ex.12 eq smtp
access-list from-outside-in permit udp any host 209.ex.ex.11 eq 1755
access-list from-outside-in permit tcp any host 209.ex.ex.11 eq 1755
access-list from-outside-in permit tcp any host 209.ex.ex.12 eq ssh
access-list from-outside-in permit udp any host 209.ex.ex.11 object-group WinMedia
access-list from-outside-in permit tcp any host 209.ex.ex.4 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.6 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.5 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.11 eq 554
access-list from-outside-in permit udp any host 209.ex.ex.11 eq 5004
access-list from-outside-in permit udp any host 209.ex.ex.11 eq 5005
access-list from-outside-in permit icmp host 209.ex.ex.1 any
access-list from-outside-in permit tcp any host 209.ex.ex.10 eq domain
access-list from-outside-in permit udp any host 209.ex.ex.10 eq domain
access-list from-outside-in permit udp any host 209.ex.ex.11 eq domain
access-list from-outside-in permit tcp any host 209.ex.ex.11 eq domain
access-list from-outside-in permit tcp host ktc host 209.ex.ex.20 eq telnet
access-list from-outside-in permit tcp any host 172.16.1.43 eq https
access-list from-outside-in permit tcp any host 209.ex.ex.5 eq https
access-list from-outside-in permit tcp any host 209.ex.ex.7 eq https
access-list from-outside-in permit tcp any host 209.ex.ex.6 eq 5000
access-list from-outside-in permit tcp any host 209.ex.ex.15 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.15 eq https
access-list from-outside-in permit tcp host 159.ex.ex.90 host 172.16.9.108 eq 15000
access-list from-outside-in permit tcp host 159.ex.ex.50 host 172.16.9.108 eq 15000
access-list from-outside-in permit tcp host 159.ex.ex.60 host 172.16.9.108 eq 15000
access-list from-outside-in permit tcp host 159.ex.ex.80 host 172.16.9.108 eq 15000
access-list from-outside-in permit tcp any host 209.ex.ex.13 eq https
access-list from-outside-in permit tcp any host 209.ex.ex.14 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.14 eq https
access-list from-outside-in permit tcp any host 209.ex.ex.8 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.8 eq https
access-list from-outside-in permit tcp 207.ex.ex.0 255.255.255.0 host 209.ex.ex.8 eq 3389
access-list from-outside-in permit udp any host 209.ex.ex.88 eq 9000
access-list from-outside-in permit tcp host xxxxx1 host 209.ex.ex.8 eq 1433
access-list from-outside-in permit tcp host xxxxx1 host 209.ex.ex.8 eq 3389
access-list from-outside-in permit tcp 63.ex.67.80 255.255.255.240 host 209.ex.ex.8 eq 1433
access-list from-outside-in permit tcp 63.ex.67.80 255.255.255.240 host 209.ex.ex.8 eq 3389
access-list from-outside-in permit tcp 65.ex.140.0 255.255.255.0 host 209.ex.ex.8 eq 1433
access-list from-outside-in permit tcp 65.ex.140.0 255.255.255.0 host 209.ex.ex.8 eq 3389
access-list from-outside-in permit tcp any host 209.ex.ex.88 eq 9000
access-list from-outside-in permit tcp host 74.ex.ex.162 host 209.ex.ex.14 object-group d_Mgmt
access-list from-outside-in permit tcp any host 209.ex.ex.16 eq https
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.22 eq ftp
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.21 eq smtp
access-list from-dmz-in permit tcp host 192.168.45.6 host 172.16.1.44 object-group SQL
access-list from-dmz-in permit udp host 192.168.45.6 host 172.16.1.44 object-group SQL
access-list from-dmz-in permit icmp 192.168.45.0 255.255.255.0 any
access-list from-dmz-in permit tcp host 192.168.45.4 any eq www
access-list from-dmz-in permit tcp host 192.168.45.4 any eq ssh
access-list from-dmz-in permit udp host 192.168.45.11 any eq 1755
access-list from-dmz-in permit tcp host 192.168.45.11 any eq 1755
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.10 eq ldap
access-list from-dmz-in permit tcp host 192.168.45.6 host 172.16.1.10 eq ldap
access-list from-dmz-in permit tcp host 192.168.45.21 host 172.16.1.10 eq ldap
access-list from-dmz-in permit tcp host 192.168.45.21 host 172.16.1.10 eq domain
access-list from-dmz-in permit udp host 192.168.45.21 host 172.16.1.10 eq domain
** access-list from-dmz-in permit tcp any host 172.16.1.3 eq pptp
access-list from-dmz-in permit udp host 192.168.45.4 host 172.16.1.10 eq ntp
access-list from-dmz-in permit udp host 192.168.45.4 host 172.16.1.10 eq domain
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.10 eq domain
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.9 eq ldap
access-list from-dmz-in permit tcp host 192.168.45.6 host 172.16.1.9 eq ldap
access-list from-dmz-in permit udp host 192.168.45.4 host 172.16.1.9 eq domain
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.9 eq domain
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.70 eq smtp
access-list from-dmz-in permit udp host 192.168.45.4 host 172.16.10.28 eq snmp
access-list from-dmz-in permit udp host 192.168.45.4 host 172.16.1.69 eq snmp
access-list from-dmz-in permit udp host 192.168.44.1 host 172.16.1.69 eq snmp
access-list from-dmz-in permit udp host 192.168.44.1 host 172.16.10.28 eq snmp
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.71 eq smtp

pager lines 24
logging timestamp
logging monitor informational
logging buffered notifications
logging trap notifications
logging facility 6
logging device-id hostname
logging host inside 172.16.1.22
icmp deny any outside
mtu outside 1500
mtu intf3 1500
mtu dmz 1500
mtu inside 1500
ip address outside 209.ex.ex.2 255.255.255.0
no ip address intf3
ip address dmz 192.168.45.1 255.255.255.0
ip address inside 192.168.44.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address intf3
no failover ip address dmz
no failover ip address inside
pdm history enable
arp timeout 14400


global (outside) 1 209.a.a.a
global (outside) 2 209.b.b.b
global (dmz) 1 192.168.45.100
global (dmz) 2 192.168.45.101
nat (inside) 1 192.168.44.0 255.255.255.0 0 0
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
nat (inside) 2 172.17.0.0 255.255.0.0 0 0


static (inside,outside) tcp 209.ex.ex.3 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.3 pptp 172.16.1.3 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.20 telnet 172.16.0.20 telnet netmask 255.255.255.255 0 0
static (inside,dmz) tcp 172.16.1.21 smtp 172.16.1.21 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.5 255.255.255.255 0 0
static (dmz,outside) tcp 209.ex.ex.4 255.255.255.255 0 0
static (dmz,outside) tcp 209.ex.ex.6 255.255.255.255 0 0
static (dmz,outside) udp 209.ex.ex.10 domain 192.168.45.10 domain netmask 255.255.255.255 0 0
static (dmz,outside) tcp 209.ex.ex.10 domain 192.168.45.10 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.5 https 172.16.1.43 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.7 https 172.16.1.13 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.6 5000 172.16.1.103 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 ssh 172.16.1.104 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5432 172.16.1.104 5432 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5959 172.16.1.104 5959 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5960 172.16.1.104 5960 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5961 172.16.1.104 5961 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5962 172.16.1.104 5962 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5963 172.16.1.104 5963 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 9099 172.16.1.104 9099 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 8080 172.16.1.104 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.15 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.15 https 172.16.1.72 https netmask 255.255.255.255 0 0
static (inside,dmz) tcp 172.16.1.70 smtp 172.16.1.70 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.13 https 172.16.1.19 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 https 172.16.1.74 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.8 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.8 https 172.16.0.50 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.8 3389 172.16.0.50 3389 netmask 255.255.255.255 0 0
static (inside,outside) udp 209.ex.ex.88 9000 172.16.1.211 9000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.8 1433 172.16.0.50 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 8443 172.16.1.104 8443 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.16 https 172.16.0.80 https netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.6 172.16.1.6 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.201 172.16.1.201 netmask 255.255.255.255 0 0
static (dmz,outside) 209.ex.ex.12 192.168.45.4 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.22 172.16.1.22 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.202 172.16.1.202 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.44 172.16.1.44 netmask 255.255.255.255 0 0
static (dmz,outside) 209.ex.ex.11 192.168.45.11 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.10 172.16.1.10 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.9 172.16.1.9 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.99 172.16.1.99 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.203 172.16.1.203 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.10.28 172.16.10.28 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.69 172.16.1.69 netmask 255.255.255.255 0 0


access-group from-outside-in in interface outside
access-group from-dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 209.ex.ex.1 1
route inside 172.16.0.0 255.248.0.0 192.168.44.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps

floodguard enable

console timeout 0
url-block url-mempool 1500
url-block url-size 4
url-block block 64
terminal width 80
Cryptochecksum:84489a11e3df19d25bd94c78853b1bab




### New ASA Config ###


!
ASA Version 8.2(5)
!

names

!
interface Ethernet0/0
nameif dmz
security-level 10
ip address 192.168.45.1 255.255.255.0
!

!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface GigabitEthernet1/0
media-type sfp
nameif inside
security-level 100
ip address 192.168.44.1 255.255.255.0
!

!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
media-type sfp
nameif outside
security-level 0
ip address 209.ex.ex.2 255.255.255.0
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name lths.net
object-group service WinMedia udp
port-object range 1024 5000
object-group service SQL tcp-udp
port-object range 1433 1434

access-list from-outside-in extended permit tcp any host 209.ex.ex.3 eq www
access-list from-outside-in extended permit tcp any host 209.ex.ex.3 eq ftp
** access-list from-outside-in extended permit tcp any host 209.ex.ex.3 eq pptp
** access-list from-outside-in extended permit gre any host 209.ex.ex.3
access-list from-outside-in extended permit tcp any host 209.ex.ex.12 eq smtp
access-list from-outside-in extended permit udp any host 209.ex.ex.11 eq 1755
access-list from-outside-in extended permit tcp any host 209.ex.ex.11 eq 1755
access-list from-outside-in extended permit tcp any host 209.ex.ex.12 eq ssh
access-list from-outside-in extended permit udp any host 209.ex.ex.11 object-group WinMedia
access-list from-outside-in extended permit tcp any host 209.ex.ex.4 eq www
access-list from-outside-in extended permit tcp any host 209.ex.ex.6 eq www
access-list from-outside-in extended permit tcp any host 209.ex.ex.5 eq www
access-list from-outside-in extended permit tcp any host 209.ex.ex.11 eq rtsp
access-list from-outside-in extended permit udp any host 209.ex.ex.11 eq 5004
access-list from-outside-in extended permit udp any host 209.ex.ex.11 eq 5005
access-list from-outside-in extended permit icmp host 209.ex.ex.1 any
access-list from-outside-in extended permit tcp any host 209.ex.ex.10 eq domain
access-list from-outside-in extended permit udp any host 209.ex.ex.10 eq domain
access-list from-outside-in extended permit udp any host 209.ex.ex.11 eq domain
access-list from-outside-in extended permit tcp any host 209.ex.ex.11 eq domain
access-list from-outside-in extended permit tcp host ktc host 209.ex.ex.20 eq telnet
access-list from-outside-in extended permit tcp any host 172.16.1.43 eq https
access-list from-outside-in extended permit tcp any host 209.ex.ex.5 eq https
access-list from-outside-in extended permit tcp any host 209.ex.ex.7 eq https
access-list from-outside-in extended permit tcp any host 209.ex.ex.6 eq 5000
access-list from-outside-in extended permit tcp any host 209.ex.ex.15 eq www
access-list from-outside-in extended permit tcp any host 209.ex.ex.15 eq https
access-list from-outside-in extended permit tcp any host 209.ex.ex.13 eq https
access-list from-outside-in extended permit tcp any host 209.ex.ex.14 eq www
access-list from-outside-in extended permit tcp any host 209.ex.ex.14 eq https
access-list from-outside-in extended permit tcp any host 209.ex.ex.8 eq www
access-list from-outside-in extended permit tcp any host 209.ex.ex.8 eq https
access-list from-outside-in extended permit udp any host 209.ex.ex.88 eq 9000
access-list from-outside-in extended permit tcp any host 209.ex.ex.88 eq 9000
access-list from-outside-in extended permit tcp any host 209.ex.ex.16 eq https
access-list from-outside-in extended permit tcp any host 209.ex.ex.50 eq smtp
access-list from-dmz-in extended permit icmp 192.168.45.0 255.255.255.0 any
access-list from-dmz-in extended permit udp host 192.168.45.11 any eq 1755
access-list from-dmz-in extended permit tcp host 192.168.45.11 any eq 1755
access-list from-dmz-in extended permit tcp host 192.168.45.21 host 172.16.1.10 eq ldap
access-list from-dmz-in extended permit tcp host 192.168.45.21 host 172.16.1.10 eq domain
access-list from-dmz-in extended permit udp host 192.168.45.21 host 172.16.1.10 eq domain
** access-list from-dmz-in extended permit tcp any host 172.16.1.3 eq pptp


pager lines 24
logging enable
logging timestamp
logging console debugging
logging buffered notifications
logging trap notifications
logging asdm informational
logging device-id hostname

mtu dmz 1500
mtu management 1500
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface dmz
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400


global (dmz) 1 192.168.45.100
global (dmz) 2 192.168.45.101
global (dmz) 3 192.168.45.102
global (outside) 1 209.ex.ex.100
global (outside) 3 209.ex.ex.50
nat (dmz) 3 192.168.45.0 255.255.255.0
nat (inside) 1 192.168.44.0 255.255.255.0
nat (inside) 1 172.16.0.0 255.255.0.0


static (inside,outside) tcp 209.ex.ex.3 255.255.255.255
static (inside,outside) tcp 209.ex.ex.20 telnet 172.16.0.20 telnet netmask 255.255.255.255
static (inside,dmz) tcp 172.16.1.21 smtp 172.16.1.21 smtp netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.5 255.255.255.255
static (dmz,outside) tcp 209.ex.ex.4 255.255.255.255
static (dmz,outside) udp 209.ex.ex.10 domain 192.168.45.10 domain netmask 255.255.255.255
static (dmz,outside) tcp 209.ex.ex.10 domain 192.168.45.10 domain netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.5 https 172.16.1.43 https netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.7 https 172.16.1.13 https netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.6 5000 172.16.1.103 https netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 ssh 172.16.1.104 ssh netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 5432 172.16.1.104 5432 netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 5959 172.16.1.104 5959 netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 5960 172.16.1.104 5960 netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 5961 172.16.1.104 5961 netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 5962 172.16.1.104 5962 netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 5963 172.16.1.104 5963 netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 9099 172.16.1.104 9099 netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 8080 172.16.1.104 8080 netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.15 255.255.255.255
static (inside,outside) tcp 209.ex.ex.15 https 172.16.1.72 https netmask 255.255.255.255
static (inside,dmz) tcp 172.16.1.70 smtp 172.16.1.70 smtp netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.13 https 172.16.1.19 https netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 https 172.16.1.74 https netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.8 255.255.255.255
static (inside,outside) tcp 209.ex.ex.8 https 172.16.0.50 https netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.8 3389 172.16.0.50 3389 netmask 255.255.255.255
static (inside,outside) udp 209.ex.ex.88 9000 172.16.1.211 9000 netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.8 1433 172.16.0.50 1433 netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.14 8443 172.16.1.104 8443 netmask 255.255.255.255
static (inside,outside) tcp 209.ex.ex.16 https 172.16.0.80 https netmask 255.255.255.255
** static (inside,outside) tcp 209.ex.ex.3 pptp 172.16.1.3 pptp netmask 255.255.255.255
static (inside,dmz) 172.16.1.6 172.16.1.6 netmask 255.255.255.255
static (inside,dmz) 172.16.1.201 172.16.1.201 netmask 255.255.255.255
static (inside,dmz) 172.16.1.22 172.16.1.22 netmask 255.255.255.255
static (inside,dmz) 172.16.1.202 172.16.1.202 netmask 255.255.255.255
static (inside,dmz) 172.16.1.44 172.16.1.44 netmask 255.255.255.255
static (dmz,outside) 209.ex.ex.11 192.168.45.11 netmask 255.255.255.255
static (inside,dmz) 172.16.1.10 172.16.1.10 netmask 255.255.255.255
static (inside,dmz) 172.16.1.9 172.16.1.9 netmask 255.255.255.255
static (inside,dmz) 172.16.1.99 172.16.1.99 netmask 255.255.255.255
static (inside,dmz) 172.16.1.203 172.16.1.203 netmask 255.255.255.255
static (inside,dmz) 172.16.10.28 172.16.10.28 netmask 255.255.255.255
static (inside,dmz) 172.16.1.69 172.16.1.69 netmask 255.255.255.255

access-group from-dmz-in in interface dmz
access-group from-outside-in in interface outside


route outside 0.0.0.0 0.0.0.0 209.ex.ex.1 1
route inside 172.16.0.0 255.255.0.0 192.168.44.2 1
route inside 172.17.0.0 255.255.0.0 192.168.44.2 1


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy


no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

ssh version 2

console timeout 0

!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
** inspect pptp
inspect dns
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 
Sort by date Sort by votes
I think the problem is you are only providing a static NAT for PPTP - your static statement is at the L4 protocol level (PPTP TCP/1723) so it doesn't know where to send the GRE. Modify the static statement so it is at the L3 level
Code: 
static (inside,outside) tcp 209.ex.ex.3 172.16.1.3 netmask 255.255.255.255

I suspect this will break it though as you have other stuff (WWW) PAT'd to 209.x.x.3. Looking at the configuration though its not that you are short of public IP addresses so NAT it to a different IP.

Andy
 
Upvote 0 Downvote
Thanks for your reply Andy, I changed the static to a different public IP and configured as you suggested and I still can't establish the connection. I have set everything back the way it was in the first post. I had read through the link you posted previously and also noted that it seems like you can either use the inspect pptp with the policy map or the ACL method. I can't seem to get either working....still plugging away at it thought :)

 
Upvote 0 Downvote
Tracked the problem back to a rogue ACL on an internal router that was dropping the traffic from the RRAS server back out to the remote client. Working now :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
143
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
159
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
148
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
42
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top