Re: PPTP through Firepower Threat Defence

hoffa2000 · ‎09-25-2017

Hi all

I'm experimenting with an FTD in Azure where I'm trying to allow VPN services through the FTD to a server behind the FTD. I should be a basic NAT setup where I allow the VPN services (PPTP and L2TP) from the public IP of the FTD to be passed and translateed to the VPN server.

L2TP is working and I can connect but not PPTP. In ASA there used to be the "inspect PPTP" option to enable this but how would I accomplish this on the FTD?

Regards

Fredrik

mfcornett · ‎02-03-2018

It's not available in 6.2.2-81

> configure inspection
dns dns inspection
ftp ftp inspection
h323_h225 h323 h225 inspection
h323_ras h323 ras inspection
rsh rsh inspection
rtsp rtsp inspection
esmtp esmtp inspection
sqlnet sqlnet inspection
skinny skinny inspection
sunrpc sunrpc inspection
xdmcp xdmcp inspection
sip sip inspection
netbios netbios inspection
tftp tftp inspection
icmp icmp inspection
icmp_error icmp error inspection
dcerpc dcerpc inspection
ip-options ip-options inspection

Marvin Rhoads · ‎02-03-2018

You should be able to configure PPTP inspection using a Flex Config policy.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd86594

mfcornett · ‎02-04-2018

This Firepower Threat Defense appliance (Firepower 2140) is managed with Firepower Device Manager and FTD CLI, NOT Firepower Management Console, so FlexConfig is NOT an option.

Marvin Rhoads · ‎02-04-2018

Then unfortunately you will not be able to modify the appliance inspection policy given the current product capabilities.

hoffa2000 · ‎02-05-2018

Hi all

Thank you for the suggestions. I have however since my post learned that Microsoft doesn't allow PPTP at all in their Azure IaaS platform. Maybe it will change in the future but seems unlikely since some of the forum posts I've read on the issue are a few years old already.

Regards

Fredrik

IvanSH87 · ‎11-18-2020

Hi @hoffa2000 how did you do the basic NAT setup for the PPTP and L2TP?

Regards.