topic Re: Putting a PPTP server behing an ASA firewall ... in Network Security

Putting a PPTP server behing an ASA firewall ...

sanjaynadarajah — Mon, 11 Mar 2019 17:11:42 GMT

Hello Experts,

I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.

The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.

The way I plan to do this is as follows :-
1. Create a static NAT for the PPTP server on the ASA firewall.

2. Add this piece of command :-

For versions 7.x and 8.0 using the inspect command:

Add PPTP inspection to the default policy-map using the default class-map.

pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#inspect pptp

3. Inspects PPTP traffic via PAT.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#global (outside) 1 interface
!
!
4. Allow outside access to get to the host,
access-list outside_access_in extended permit tcp any host 125.125.125.126 eq 1723
!
5. Arp entry to the ASA box
!
arp outside 125.125.125.126 001d.abcd.7cf8 alias
!
!
6. Static NAT from the outisde IP to the inside IP.
static (inside,outside) tcp 125.125.125.126 1723 172.16.1.2 1723 netmask 255.255.255.255
!

!
write mem
!

Question :-
1) Pls advice if I am missing anything else for this setup ?
2) What are the relevant show commands should I be using to check if this is working ? I am pretty new
to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?

Thank you ,

Cheers

Re: Putting a PPTP server behing an ASA firewall ...

Jon Marshall — Thu, 18 Feb 2010 13:21:55 GMT

sanjaynadarajah wrote:

Hello Experts,

I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.

The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.

Question :-
1) Pls advice if I am missing anything else for this setup ?
2) What are the relevant show commands should I be using to check if this is working ? I am pretty new
to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?

Thank you ,

Cheers

Can't read visio's but there is a specific document for allowing PPTP through an ASA/Pix firewall so you may want to check your config against that -

PPTP through firewall

Jon

Re: Putting a PPTP server behing an ASA firewall ...

Panos Kampanakis — Thu, 18 Feb 2010 21:15:53 GMT

In other words you will need

policy-map global_policy

class inspection_default

inspect ppt

And opening up gre on your interface.

I hope it helps.

Re: Putting a PPTP server behing an ASA firewall ...

Kureli Sankar — Fri, 19 Feb 2010 00:02:16 GMT

GRE will be allowed automatically with inspect pptp.

Pls. read this command reference link for inspect pptp:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.

The link that Joh provide has examples to allow PPTP. Pls. follow that. I am enclosing the same link again.

1. for client on the inside

2. for server on the inside.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

-KS

Re: Putting a PPTP server behing an ASA firewall ...

sanjaynadarajah — Sun, 21 Feb 2010 08:28:30 GMT

Well from this URL : http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml, it seems that the inspect command is only used if the PPTP client is behind the ASA box. In my setup, the PPTP client is at a different location.

So it looks to me what is needed here is the ACL and the static NAT.

Thank you,

Cheers.