PPTP vpn from client outside to server inside not functioning

Scott Brien · ‎03-12-2012

Hi,

Currently we are having an issue with having outside clients pass through our FWSM to a windows server which terminates a PPTP vpn.

We have configured the following on the FWSM

1) configured access lists for the host allowing the following on the outside access list and have also added a second entry explicitly permitting pptp and GRE:

gre

tcp-udp/1723

tcp-udp/47

tcp-udp/50

tcp-udp/500

tcp/1423

tcp/3389

tcp/8092

tcp/9202

tcp/9990

tcp/9999

tcp/http

tcp/https

tcp/pptp

tcp/smtp

2) we have explicitly enabled GRE and PPTP on the inside interface also.

3) We have enabled PPTP inspection:

timeout pptp-gre 0:02:00

class-map pptp-port

match port tcp eq pptp

inspect pptp

policy-map pptp_policy

class pptp-port

inspect pptp

service-policy pptp_policy interface outside

Please see extract for configuration:

static (Customer,outside) tcp X.X.X.1 smtp X.X.X.1 smtp netmask 255.255.255.255

static (Customer,outside) tcp X.X.X.1 www X.X.X.1 www netmask 255.255.255.255

static (Customer,outside) tcp X.X.X.1 https X.X.X.1 https netmask 255.255.255.255

static (Customer,outside) tcp X.X.X.1 1423 X.X.X.1 1423 netmask 255.255.255.255

static (Customer,outside) tcp X.X.X.1 3389 X.X.X.1 3389 netmask 255.255.255.255

static (Customer,outside) tcp X.X.X.1 9990 X.X.X.1 9990 netmask 255.255.255.255

static (Customer,outside) tcp X.X.X.1 8092 X.X.X.1 8092 netmask 255.255.255.255

static (Customer,outside) tcp X.X.X.1 9999 X.X.X.1 9999 netmask 255.255.255.255

static (Customer,outside) tcp X.X.X.1 9202 X.X.X.1 9202 netmask 255.255.255.255

static (Customer,outside) tcp X.X.X.1 pptp X.X.X.1 pptp netmask 255.255.255.255

static (Customer,outside) tcp X.X.X.2 www X.X.X.2 www netmask 255.255.255.255

static (Customer,outside) tcp X.X.X.2 https X.X.X.2 https netmask 255.255.255.255

timeout pptp-gre 0:02:00

object-group service DM_INLINE_SERVICE_18

service-object gre

service-object tcp eq 1423

service-object tcp eq 3389

service-object tcp eq 8092

service-object tcp eq 9202

service-object tcp eq 9990

service-object tcp eq 9999

service-object tcp eq www

service-object tcp eq https

service-object tcp eq pptp

service-object tcp eq smtp

service-object tcp-udp eq 1723

service-object tcp-udp eq 47

service-object tcp-udp eq 50

service-object tcp-udp eq 500

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit tcp any host X.X.X.2 object-group DM_INLINE_TCP_2

access-list outside_access_in extended deny ip any host X.X.X.2

access-list outside_access_in extended permit gre any host X.X.X.1

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_18 any host X.X.X.1

access-list outside_access_in extended deny ip any host X.X.X.1

access-list Customer_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

nat (Customer) 0 access-list Customer_nat0_outbound

nat (Customer) 2 0.0.0.0 0.0.0.0

class-map inspection_default

match default-inspection-traffic

class-map pptp-port

match port tcp eq pptp

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect pptp

policy-map pptp_policy

class pptp-port

inspect pptp

Scott Brien · ‎03-12-2012

A brief diagram

Outside user ===> outside interface===> Customer interface===========>Customer router ========> PPTP Server

2.2.2.2 X.X.X.1 Customer GW Site GW 1.1.1.1 1.1.1.2

Scott Brien · ‎03-12-2012

This has been resolved.

we needed a no exempt rule for the PPTP server.

Scott