Cisco ASA 5505 VPN issue

Discussion in 'Cisco' started by dmj792, Aug 15, 2007.

  1. dmj792

    dmj792 Guest

    I just installed an ASA550 on my home network and now I have a problem
    with connecting 2 PPtP vpn connections using either of the XP or
    Vista VPN connections. These connnections worked fine until I
    installed the ASA. Now they both contact the remote VPN locations, but
    fails when trying to authenticate. The Vista client gives 'error 806:
    The VPN connection between your computer and the VPN server could not
    be completed.' From the XP clien, the error states 721:The remote
    computer did not respond.

    Here is my current ASA config:

    ASA Version 7.2(2)33
    !
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password XXXXXXXXX encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.254 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd XXXXXXXXX encrypted
    boot system disk0:/asa722-33-k8.bin
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    dns server-group Primary
    name-server 64.90.65.2
    name-server 64.90.65.5
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet 192.168.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.0.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.168.0.50-192.168.0.81 inside
    dhcpd dns 204.72.181.35 204.72.181.35 interface inside
    dhcpd enable inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    ssl encryption des-sha1 rc4-md5
    prompt hostname context
    Cryptochecksum:ba83de2e963d331ef2ce46d982e5e2d4
    : end

    Anyone have any thoughts on what I am missing or what I need to add?
    Any help or adivce is greatly appreciated.

    Thanks
     
    dmj792, Aug 15, 2007
    #1
    1. Advertisements

  2. dmj792

    dmj792 Guest

    I should add that the VPN connections are initiated from the inside of
    my ASA to remote VPN servers that I need to access for work.
     
    dmj792, Aug 15, 2007
    #2
    1. Advertisements

  3. dmj792

    Brian V Guest

    conf t
    policy-map global_policy
    class inspection_default
    inspect pptp
    wr mem
     
    Brian V, Aug 15, 2007
    #3
  4. dmj792

    dmj792 Guest

    dmj792, Aug 15, 2007
    #4
  5. dmj792

    erhan68

    Joined:
    Jan 14, 2009
    Messages:
    2
    Likes Received:
    0
    I am having the same problem even after below commands. PPTP VPN says its verifying username and password and then I get error 721. Cisco ASA logging says Teardown TCP connection from xxxx and teardown GRE connection from xxxx

    conf t
    policy-map global_policy
    class inspection_default
    inspect pptp
    wr mem


    Here is my config. Help is appreciated.


    ASA Version 7.2(4)
    !
    hostname ASA5505
    domain-name default.domain.invalid
    enable password xxx encrypted
    passwd xxx encrypted
    names
    !
    interface Vlan1
    nameif LAN
    security-level 100
    ip address 10.128.64.3 255.255.252.0
    !
    interface Vlan2
    nameif WAN
    security-level 0
    ip address 62.161.72.54 255.255.255.248
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq ftp
    port-object eq www
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    access-list LAN_access_in remark allow LAN to the Internet
    access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.1
    28.64.0 255.255.252.0 any
    access-list WAN_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
    access-list WAN_access_in extended permit icmp any any echo-reply
    pager lines 24

    mtu LAN 1500
    mtu WAN 1500
    ip verify reverse-path interface WAN
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any WAN
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (WAN) 1 interface
    nat (LAN) 1 0.0.0.0 0.0.0.0
    static (LAN,WAN) tcp interface www 10.128.64.7 www netmask 255.255.255.255
    static (LAN,WAN) tcp interface ftp 10.128.64.7 ftp netmask 255.255.255.255
    access-group LAN_access_in in interface LAN
    access-group WAN_access_in in interface WAN
    route WAN 0.0.0.0 0.0.0.0 62.161.72.53 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 10.128.64.0 255.255.252.0 LAN
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet 10.128.64.0 255.255.252.0 LAN
    telnet timeout 5
    ssh 10.128.64.0 255.255.252.0 LAN
    ssh timeout 5
    console timeout 0
    management-access LAN
    dhcpd dns 194.109.104.104 194.109.9.99 interface LAN
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect pptp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:04229d426a2043dd144122178fd6fc11
    : end
     
    erhan68, Jan 14, 2009
    #5
  6. dmj792

    erhan68

    Joined:
    Jan 14, 2009
    Messages:
    2
    Likes Received:
    0
    Its weird but after resetting the gateway router (from ISP) issue is resolved. So the given solution works for my as well.
     
    erhan68, Jan 14, 2009
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.