Simple PPTP VPN passthrough to SBS Server 1

[ACorpolongo]

Hi all,
I have my Windows SBS server fully configured to receive PPTP VPN connections. I'm using an ASA 5500 as my gateway, and am having trouble configuring IP Protocol #47 GRE passthrough. Had no problem configuring ACLS to allow TCP protocol PPTP and IP protocol GRE through, my problem lies with NAT. I currently have entries forwarding packets with certain port numbers (e-mail, DNS, http, etc) to certain servers internally. The only option I can find which would allow me to forward an entire IP protocol is to create a static entry, which the ASA then tells me conflicts with the rest of my entries. I tried deleting all of my specific PAT entries and creating one static mapping sending all traffic on the external IP address to my VPN server, but even then was not getting VPN connectivity. Posted below is my configuration. I don't want to use any of the VPN features built into the ASA if I can avoid it, I just want it to let the traffic through. If this isn't possible, I'll deal with it, but my ideal network is as simple as I can make it. Thanks ahead of time.

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(2)
!
hostname TSCUSAGateway
domain-name tscusa.com
enable password TPHIn.D8lbIFB50E encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address <ASA Outside Interface> 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
retries 1
name-server 10.1.10.10
name-server 10.1.10.11
domain-name tscusa.com
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host <Server Outside Interface(via NAT)> eq www
access-list outside_access_in extended permit tcp any host <Server Outside Interface(via NAT)> eq domain
access-list outside_access_in extended permit tcp any host <Server Outside Interface(via NAT)> eq smtp
access-list outside_access_in extended permit tcp any host <Server Outside Interface(via NAT)> eq pop3
access-list outside_access_in extended permit gre any host <Server Outside Interface(via NAT)>
access-list outside_access_in extended permit tcp any host <Server Outside Interface(via NAT)> eq pptp
access-list outside_access_in extended permit tcp any host <Server Outside Interface(via NAT)> eq 3389
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.1.10.0 255.255.255.0
static (inside,outside) tcp <Server Outside Interface(via NAT)>

http://www 10.1.10.10

http://www netmask

255.255.255.255
static (inside,outside) tcp <Server Outside Interface(via NAT)> domain 10.1.10.10 domain netmask 255.255.255.255
static (inside,outside) tcp <Server Outside Interface(via NAT)> pop3 10.1.10.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp <Server Outside Interface(via NAT)> smtp 10.1.10.10 smtp netmask 255.255.255.255
static (inside,outside) tcp <Server Outside Interface(via NAT)> pptp 10.1.10.10 pptp netmask 255.255.255.255
static (inside,outside) tcp <Server Outside Interface(via NAT)> 3389 10.1.10.10 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.250.1.49 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.10.0 255.255.255.0 inside
http 68.250.1.54 255.255.255.255 outside
http 68.250.1.50 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 68.250.1.54 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.1.10.10 10.1.10.11
dhcpd wins 10.1.10.10 10.1.10.11
dhcpd lease 86900
dhcpd ping_timeout 100
dhcpd domain TSCUSA.COM
!
dhcpd address 10.1.10.100-10.1.10.200 inside
dhcpd dns 10.1.10.10 10.1.10.11 interface inside
dhcpd wins 10.1.10.10 10.1.10.11 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 100 interface inside
dhcpd domain TSCUSA.COM interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
class-map pptp-port
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2af20c0b0d95e260bc3d30ab922afc20
: end


Alex Corpolongo CCNA
Network Technician

 

[BrotherJones]

Hi Alex,

add PPTP inspection to the default policy-map using the default class-map.

asafirewall(config)#policy-map global_policy
asafirewall(config-pmap)#class inspection_default
asafirewall(config-pmap-c)#inspect pptp

You do not need to define a static mapping because the asa now inspects PPTP traffic

 

[ACorpolongo]

Thanks so much Jones, worked exactly like I needed it to. Figured you didn't just redirect IP protocols like they were port numbers.