Cisco – Trouble setting up incoming VPN in Microsoft SBS 2008 through a Cisco ASA 5505 appliance

ciscocisco-asawindows-sbs-2008

I have replaced an aging firewall (custom setup using Linux) with a Cisco ASA 5505 appliance for our network. It's a very simple setup with around 10 workstations and a single Small Business Server 2008.

Setting up incoming ports for SMTP, HTTPS, remote desktop etc. to the SBS went fine – they are working like they should.

However, I have not succeeded in allowing incoming VPN connections. The clients trying to connect (running Windows 7) are stuck with the "Verifying username and password…" dialog before getting an error message 30 seconds later.

We have a single external, static IP, so I cannot set up the VPN connection on another IP address.

I have forwarded TCP port 1723 the same way as I did for SMTP and the others, by adding a static NAT route translating traffic from the SBS server on port 1723 to the outside interface.

In addition, I set up an access rule allowing all GRE packets (src any, dst any).

I have figured that I must somehow forward incoming GRE packets to the SBS server, but this is where I am stuck.

I am using ADSM to configure the 5505 (not console).

Any help is very much appreciated!

EDIT: See also the related question here: PPTP pass through on Cisco ASA 5505 (8.2)

Best Answer

As long as you have permitted (via necessary NAT and ACL) TCP/1723 to the SBS 2008 server there is no need to explicitly configure GRE as long as the ASA's PPTP Application Layer Gateway (ALG) is enabled.

Cisco used to call these ALG's "fixup" now they are called "inspect" in the ASA.

A vanilla ASA comes with a bare bones modular policy framework (MPF) making use of a global policy -- unfortunately the PPTP ALG is not enabled much to the chagrin of many a Windows administrator.

From the CLI

Add inspect pptp to your traffic class (likely defined inspection_default traffic class in the global_policy).

From ASDM

Configuration (Top) -> Firewall (Lower Left) -> Service Policy Rules (Middle Left)

Select the traffic class which is likely inspection_default -> Click Edit

Rule Actions (Tab) -> Check PPTP -> OK -> Apply

Save Configuration.

Related Solutions

Nat – PPTP pass through on Cisco ASA 5505 (8.2)

The stock ASA configuration does not include support for PPTP passthrough by default -- crazy as to why. Cisco TAC likely gets a handful of cases related to this...

There are at most three things required to get PPTP working through an ASA

If server is behind ASA

Configure necessary NAT/PAT if using NAT/PAT (Optional but usually required)
ACL permit TCP/1723 to server/IP (whether real, mapped, or interface depends on ASA version)
Enable PPTP inspection
- Explicit ACL permit for GRE is not necessary

If client is behind ASA

Enable PPTP inspection

Server example

ASA outside interface IP 1.1.1.2/30
Server inside IP 10.0.0.10/24
Static PAT (port forwarding) TCP/1723 using ASA outside interface IP

ASA 8.3 and newer (with focus on objects)

object network hst-10.0.0.10
 description Server
 host 10.0.0.10
object network hst-10.0.0.10-tcp1723
 description Server TCP/1723 Static PAT Object
 host 10.0.0.10
 nat (inside,outside) static interface service tcp 1723 1723

object-group service svcgrp-10.0.0.10 tcp
 port-object eq 1723

access-list outside_access_in extended permit tcp any object hst-10.0.0.10 object-group svcgrp-10.0.0.10-tcp
access-group outside_access_in in interface outside

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

ASA 8.2 and prior

access-list outside_access_in extended permit tcp any interface outside eq 1723

access-group outside_access_in in interface outside

static (inside,outside) tcp interface 1723 10.0.0.10 1723 netmask 255.255.255.255

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

Client example

Valid for all ASA OS versions

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

If these examples don't fit your scenario post your specifics and we can customize a config for you.

Cisco – Opening Ports on a Cisco ASA 5505

You have a NAT rule mapping port 5001 to your NAS. You are missing the firewall rule for port 5001. Add the following and it will work:

access-list outside_access_in extended permit tcp any host MiniSrvr object-group Syno_HTTPS

Best Answer

Related Solutions

Nat – PPTP pass through on Cisco ASA 5505 (8.2)

Cisco – Opening Ports on a Cisco ASA 5505

Related Topic