ACL and Firewall

Close.

On the ASA, if you are using sysopt connection permit-ipsec then you would block any RDP in the ACLs (or, rather, you would simply not permit any RDP, since you should be blocking everything that you don't definitely need.)

If, though, you are not using that sysopt, then you need to permit RDP in the access-group applied to the interface the VPN terminates on. When you do that, you should select the source addresses for the ACL entry to correspond only to the decapsulated IP addresses for the VPN connections.

Some subset of AH (IP 51), ESP (IP 50), IKE (UDP 500), and UDP 4500. (Add something else if you are using SSL VPNs). The subset will depend on which transforms you are using and whether you are turning on nat traversal.

You specified the ASA, which does not support terminating PPTP if I recall correctly. If you were trying to pass PPTP through (e.g., in order to be able to terminate a microsoft vpn client on the Windows server itself) then you would need GRE (IP 41) and PPTP (TCP 1723).

Walter Roberson wrote: SNIP

That would be GRE (IP 47)

chad

What I am trying to do is allow remote users to VPN into the network, running Windows 2003 Server. I was going to have these terminate at the ASA. I guess I missed in all my reading on the ASA, I can't use PPTP to the ASA?

Thanks.

vpdn command-The vpdn command was removed because support for L2TP/PPTP/PPPoE was removed in PIX Security appliance Version 7.0.

The ASA does have some facilities not offered by the PIX, but my recollection is that PPTP is not one of the extras -- if it was, then I believe Cisco would have kept it on the PIX (which shares a common code base.)

7.2 reintroduces them.

Thanks. I know 41 looked wrong when I wrote it, but it didn't look wrong enough to trigger a google.

"The PPTP feature is not supported in Version 7.2(1)."

7.2 does appear to reintroduce LT2P over IPSec, and PPPoE, but not PPTP, which just happens to be the part the poster was asking about.

Without PPTP, what do I use to pass credentials to the Windows 2003 Server. I have worked with PPTP VPNs before but I am not sure how else ...

I want the users to have a VPN client that terminates at the ASA and then authenticates them to the domain. What options do I have? We are a small company and I do not implementing a single server. I was hoping just to be able to pass authentication information to the DC.

Thanks.

Walter Robers> > >* Walter Robers> >> vpdn command-The vpdn command was removed because support for

Sorry, that's beyond my experience. This configuration comment would seem relevant, though:

Thanks for your help. Can the Cisco ASA's do L2TP then? I guess I am familiar with L2TP, and PPTP. That link told me what I needed for passing Kerberos in thanks. Has anyone had experience with Microsoft IAS as a RADIUS server? Because using Kerberos I cannot do any accounting on my VPN connections.

Thanks for all your help.

Walter Robers> > >Without PPTP, what do I use to pass credentials to the Windows 2003

Look above that:

NT Server Support

The security appliance supports VPN authentication with Microsoft Windows server operating systems that support NTLM version 1, which we collectively refer to as NT servers. When a user attempts to establish VPN access and the applicable tunnel-group record specifies a NT authentication server group, the security appliance uses NTLM version 1 to for user authentication with the Microsoft Windows domain server. The security appliance grants or denies user access based on the response from the domain server.

And further down, nt-auth-domain-controller, and that server-port defaults to 139 for NT. The very bottom of the page has an example,

aaa-server NTAuth protocol nt aaa-server NTAuth (inside) host 10.1.1.4 nt-auth-domain-controller primary1

Looks like that requires 7.2, provided you mean "L2TP over IPSec".