I have replaced an aging firewall (custom setup using Linux) with a Cisco ASA 5505 appliance for our network. It's a very simple setup with around 10 workstations and a single Small Business Server 2008.
Setting up incoming ports for SMTP, HTTPS, remote desktop etc. to the SBS went fine - they are working like they should.
However, I have not succeeded in allowing incoming VPN connections. The clients trying to connect (running Windows 7) are stuck with the "Verifying username and password..." dialog before getting an error message 30 seconds later.
We have a single external, static IP, so I cannot set up the VPN connection on another IP address.
I have forwarded TCP port 1723 the same way as I did for SMTP and the others, by adding a static NAT route translating traffic from the SBS server on port 1723 to the outside interface.
In addition, I set up an access rule allowing all GRE packets (src any, dst any).
I have figured that I must somehow forward incoming GRE packets to the SBS server, but this is where I am stuck.
I am using ADSM to configure the 5505 (not console).
Any help is very much appreciated!
EDIT: See also the related question here: PPTP pass through on Cisco ASA 5505 (8.2)
As long as you have permitted (via necessary NAT and ACL) TCP/1723 to the SBS 2008 server there is no need to explicitly configure GRE as long as the ASA's PPTP Application Layer Gateway (ALG) is enabled.
Cisco used to call these ALG's "fixup" now they are called "inspect" in the ASA.
A vanilla ASA comes with a bare bones modular policy framework (MPF) making use of a global policy -- unfortunately the PPTP ALG is not enabled much to the chagrin of many a Windows administrator.
From the CLI
Add
inspect pptp
to your traffic class (likely definedinspection_default
traffic class in theglobal_policy
).From ASDM
Configuration (Top) -> Firewall (Lower Left) -> Service Policy Rules (Middle Left)
Select the traffic class which is likely
inspection_default
-> Click EditRule Actions (Tab) -> Check PPTP -> OK -> Apply
Save Configuration.