Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up and allowing PPTP on ASA 5505

Status
Not open for further replies.
downtownswang

downtownswang

IS-IT--Management
May 4, 2009
4
US
I need to allow PPTP thru our ASA 5505. Have never configured a PIX before and I am not adept at using the command line so I am looking for assistance setting up the access rules and NAT using ASDM. We are on version 6.1.
We have a Server 2003 running Routing & Remote Access The server sits inside our network(192.168.1.3). I know I need to allow port 1723 and GRE 47 in the firewall and port forward to the server but need help from there.

Thanks
 
Sort by date Sort by votes
I have never used the ASDM before to configure my firewalls so I cannot guide your configuration in this way. I can give you the CLI commands to input into the device:
Code: 
ASA(config)# static (inside,outside) tcp interface 1723 192.168.1.3 1723 netmask 255.255.255.255
ASA(config)# access-list outside_access_in extended permit tcp any interface outside eq 1723
ASA(config)# access-list outside_access_in extended permit gre any interface outside
So the inside,outside referenced in the static statement refer to your interfaces that are connected to your internal network and your connection to the outside so you'll need to change those according to what you have named your interfaces. In the static the word interface is used if the external IP that the clients will connect to is the one bound to the interface. For example if your outside interface has the address 1.1.1.1 then interface will refer to that address. If the PPTP server will map to 1.1.1.3 then replace the word interface with teh actual IP Address. Also, if you are already permitting traffic inbound you may need to change where the two ACE's are entered in your ACL. If you need further help post back with the scrubbed config of the device.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thank you unclerico...I have attached my config. Once you look at it maybe you can give me the exact commands. Thank you

ASA# show running-config
: Saved
:
ASA Version 8.0(4)
!
hostname
domain-name
enable password
passwd
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group lclaw
ip address 63.224.85.97 255.255.255.255 pppoe
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name lclaw.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service PolycomPVX tcp-udp
port-object eq 1503
port-object eq sip
port-object range 3230 3237
port-object eq 1720
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.25
5.255.0
access-list vpnsplit extended permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255
.255.255.0
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host 63.224.85.98 eq 3389
access-list inbound extended permit tcp any host 63.224.85.97 eq smtp
access-list inbound extended permit tcp any host 63.224.85.97 eq www
access-list inbound extended permit tcp any host 63.224.85.97 eq 3389
access-list inbound extended permit tcp any host 63.224.85.97 eq 3603
access-list inbound extended permit tcp any host 63.224.85.97 eq sip
access-list inbound extended permit tcp any host 63.224.85.97 eq 1503
access-list inbound extended permit tcp any object-group PolycomPVX host 63.224.
85.97 object-group PolycomPVX
access-list inbound extended permit tcp any host 63.224.85.97 eq h323
access-list inbound extended permit udp any object-group PolycomPVX host 63.224.
85.97 object-group PolycomPVX
access-list inbound remark PPTP for Microsoft VPN Access
access-list inbound extended permit tcp any host 192.168.1.3 eq pptp inactive (I tried this rule before your instructions but now cannot remove it)
access-list inbound extended permit gre any host 192.168.1.3 inactive (I tried this rule before your instructions but now cannot remove it)
access-list inbound extended permit udp any host 63.224.85.97 eq sip
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.16.2.1-172.16.2.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.4 smtp netmask 255.255.255.
255
static (inside,outside) tcp interface 255.255.255.25
5
static (inside,outside) tcp interface 3389 192.168.1.4 3389 netmask 255.255.255.
255
static (inside,outside) tcp interface 3603 192.168.1.87 3603 netmask 255.255.255
.255
static (inside,outside) tcp interface sip 192.168.1.87 sip netmask 255.255.255.2
55
static (inside,outside) tcp interface 1503 192.168.1.87 1503 netmask 255.255.255
.255
static (inside,outside) tcp interface h323 192.168.1.87 h323 netmask 255.255.255
.255
static (inside,outside) udp interface 3603 192.168.1.87 3603 netmask 255.255.255
.255
static (inside,outside) udp interface sip 192.168.1.87 sip netmask 255.255.255.2
55
static (inside,outside) udp interface 1503 192.168.1.87 1503 netmask 255.255.255
.255
static (inside,outside) udp interface 1720 192.168.1.87 1720 netmask 255.255.255
.255
static (inside,outside) tcp interface 3230 192.168.1.87 3230 netmask 255.255.255
.255
static (inside,outside) tcp interface 3231 192.168.1.87 3231 netmask 255.255.255
.255
static (inside,outside) tcp interface 3232 192.168.1.87 3232 netmask 255.255.255
.255
static (inside,outside) tcp interface 3233 192.168.1.87 3233 netmask 255.255.255
.255
static (inside,outside) tcp interface 3234 192.168.1.87 3234 netmask 255.255.255
.255
static (inside,outside) tcp interface 3235 192.168.1.87 3235 netmask 255.255.255
.255
static (inside,outside) tcp interface 3236 192.168.1.87 3236 netmask 255.255.255
.255
static (inside,outside) tcp interface 3237 192.168.1.87 3237 netmask 255.255.255
.255
static (inside,outside) udp interface 3230 192.168.1.87 3230 netmask 255.255.255
.255
static (inside,outside) udp interface 3231 192.168.1.87 3231 netmask 255.255.255
.255
static (inside,outside) udp interface 3232 192.168.1.87 3232 netmask 255.255.255
.255
static (inside,outside) udp interface 3233 192.168.1.87 3233 netmask 255.255.255
.255
static (inside,outside) udp interface 3234 192.168.1.87 3234 netmask 255.255.255
.255
static (inside,outside) udp interface 3235 192.168.1.87 3235 netmask 255.255.255
.255
static (inside,outside) udp interface 3236 192.168.1.87 3236 netmask 255.255.255
.255
static (inside,outside) udp interface 3237 192.168.1.87 3237 netmask 255.255.255
.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 63.224.85.102 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 192.168.1.2
key NTadmin
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 72.16.128.34 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds
28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobyte
s 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group lclaw request dialout pppoe
vpdn group lclaw localname lambdinchaneyllp@qwest.net
vpdn group lclaw ppp authentication pap
vpdn username lambdinchaneyllp@qwest.net password ********* store-local

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpnclients internal
group-policy vpnclients attributes
dns-server value 192.168.1.2
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
default-domain value lclaw.net
split-dns value lclaw.net
address-pools value vpnpool
username admin password 1Vmi4SGv7HG5QBRk encrypted privilege 15
tunnel-group vpn3000 type remote-access
tunnel-group vpn3000 general-attributes
address-pool vpnpool
authentication-server-group vpn
authentication-server-group (inside) vpn LOCAL
default-group-policy vpnclients
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:879e54b12d01d7519dff1f16c6eadd52
: end
\ASA#
 
Upvote 0 Downvote
go into the CLI and enter:
Code: 
ASA(config)# no access-list inbound line 13 extended permit tcp any host 192.168.1.3 eq pptp inactive 
ASA(config)# no access-list inbound line 14 extended permit gre any host 192.168.1.3 inactive 
ASA(config)# static (inside,outside) tcp interface 1723 192.168.1.3 1723 netmask 255.255.255.255
ASA(config)# access-list inbound extended permit tcp any host 63.224.85.97 eq 1723
ASA(config)# access-list inbound extended permit gre any host 63.224.85.97

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thank you...will entering the first two lines remove those entries?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
677
Sameer258
Sameer258
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
314
AllenH12
AllenH12
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
121
gbayi_omo
gbayi_omo
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
586
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
448
gkreg
gkreg

Part and Inventory Search

Sponsor

Back
Top