A very interesting topic came up this week when I was attempting to connect to a client’s PPTP VPN from behind my Cisco ASA5505. I would attempt to make the connection and then it would drop, and I would not be able to complete the connection. At first, I thought it might have something to do with the client’s firewall being down, however, after I removed my ASA from the mix, and just used a DLINK wireless router, I was able to connect instantly.
First stop in my troubleshooting process was to look at the System Log within the ASDM for the ASA. I then tried to initialize the PPTP connection, I saw within the System Log the following error:
“regular translation creation failed for protocol 50 src inside:(Machine name) dst outside:(IP Address)”
After some research as to why this was happening, I was able to note that this is not something that is configured by default. You must put in a command within the CLI (Command Line Interface) that allows PPTP packets to be inspected. The firewall then creates dynamic GRE (generic routing encapsulation) connections and translations necessary to permit PPTP traffic. Here are a list of the commands that I had to execute within my firewall:
ASA5505> enable
Password: ********
ASA5505# conf t
ASA5505(config)# policy-map global_policy
ASA5505(config-pmap)# class inspection_default
ASA5505(config-pmap-c)# inspect pptp
After doing this, I then tested connectivity and it successfully worked. I found that this could be a big help in future firewall configurations where you must connect to various client PPTP VPN’s when you are behind a Cisco firewall. Don’t forget to save your configuration after you have tested this successfully!
Digg This | Save to del.icio.us
RADIUS authentication is one of the more secure ways to allow users remote access using their Active Directory credentials. This begs the question though, how then do I disable RADIUS authentication if I only have a single domain controller within my infrastructure and it’s down?
The most simple way to go about this is to do the following after connecting to the outside interface of the PIX via Putty:
Step 1: Login to the PIX via Putty
Step 2: Enter in the username and password
Step 3: Type “enable” (without the quotations)
Step 4: Enter in the password again
Step 5: Type “conf t”
Step 6: Type “no crypto map mymap client authentication radiusauth”
Step 7: Type “write mem”
Step 8: Type “exit”
At this point, you can connect to the Cisco VPN without having to authenticate. Once the issue has been resolved with the domain controller, put radius authentication back to the way it was configured before.
Step 1: Login to the pix via Putty
Step 2: Enter in the username and password
Step 3: Type “enable”
Step 4: Type the password again for the PIX
Step 5: Type “conf t”
Step 6: Type “crypto map mymap client authentication radiusauth”
Step 7: Type “write mem”
Step 8: Type “exit”
Step 9: Attempt to connect back to the VPN and verify that you are prompted to authenticate.
Digg This | Save to del.icio.us
While configuring a client with a new Cisco Wireless Infrastructure (Cisco WCS 6.0 server, Cisco 4402 WLAN Controller and 8 Cisco Light-Weight Access Points), there was a need to authenticate users based on their Active Directory credentials & group membership without the use of a separate Cisco ACS server.
The solution was found by changing the IAS Framing “Service-Type” to ‘login’, as the reply needs to only be a simple yes/no response and the WCS server doesn’t understand the additional framing.
Digg This | Save to del.icio.us
