I'm just using the Windows XP PPTP client passing through the ASA conecting to a Watchguard FireBox. I have configured NAT as type Dynamic, source any, interface outside, address outside. I have set up an access-list (outside incoming) allowing the remote network to the internal network for IP and the default inside any IP to any less secure networks.

Well, what do you mean by you configure dynamic NAT on the outside? That will not work.

Assuming that the connection is inbound from outside to inside (low to high security level), you would need to configure static translation.

For example:

If your PPTP server ip is 10.1.1.1, and translated to 200.1.1.1, you should configure the following:

static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255

access-list outside permit tcp any host 200.1.1.1 eq 1723

access-group outside in interface outside

Then add "inspect pptp" in your global policy map as KWillacey advised earlier.

Hope that helps.

Sorry, to clarify, I'm using ASA ver 8.2(1). I have set up my nat as follows:

nat (inside) 101 0.0.0.0 0.0.0.0

global (outside) 101 interface

Do I need to set up a static nat as well?

Yes, you definitely need a static NAT for the PPTP server.

It's a bit slow but all is working now after adding inspect pptp to the global_policy. According to the link posted earlier, you do not need to define a static mapping because the ASA 8.0 now inspects PPTP traffic. You can use PAT or define a static mapping. Thanks for all your help.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Commands to Add for Versions 7.x and 8.0 using inspection

Complete these steps to add commands for versions 7.x and 8.0 using the inspect command:

1. Add PPTP inspection to the default policy-map using the default class-map.

   pixfirewall(config)#policy-map global_policy
   

   pixfirewall(config-pmap)#class inspection_default
   

   pixfirewall(config-pmap-c)#inspect pptp
   

2. You do not need to define a static mapping because the PIX now inspects PPTP traffic. You can use PAT.

   pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
   
   pixfirewall(config)#global (outside) 1 interface
   

   OR

Commands to Add for Versions 7.x and 8.0 using ACL

Complete these steps to add commands for versions 7.x and 8.0 using ACL.

1. Define the static mapping for the inside PC. The address seen on the outside is 192.168.201.5.

   pixfirewall(config)#static (inside,outside) 192.168.201.5  10.48.66.106
                         netmask 255.255.255.255 0 0
   

2. Configure and apply the ACL to permit the GRE return traffic from the PPTP server to the PPTP client.

   pixfirewall(config)#access-list acl-out permit gre host 192.168.201.25 
                         host 192.168.201.5 
   pixfirewall(config)#access-list acl-out permit tcp host 192.168.201.25 
                         host 192.168.201.5 eq 1723
   

3. Apply the ACL.

   pixfirewall(config)#access-group acl-out in interface outside

Correct for outbound PPTP connection. For inbound PPTP connection, you would still need to configure static NAT.

Hi,

Outbound PPTP is not working with below mentioned config..Do I need to add anything apart from this?

pixfirewall(config)#policy-map global_policy

pixfirewall(config-pmap)#class inspection_default

pixfirewall(config-pmap-c)#inspect pptp

Regards

Kumar

Check the notes for PPTP inspection:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1432892

Are you getting any errors?

Federico.

Hi,

Thanks for immediate reponse....Where/how to check for errors? r u asking errors are getting on clinet/ASA side..

Regards

kumar

Yes,

You're saying that outbound PPTP is not working through the ASA.

Are you getting any messages either on the client or server side?

Is the PPTP server ''inside'' or ''outside'' the ASA?

Federico.