cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2852
Views
3
Helpful
4
Replies
sanjaynadarajah
Beginner

Putting a PPTP server behing an ASA firewall ...

Hello Experts,

I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.

The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.

The way I plan to do this is as follows :-
1. Create a static NAT for the PPTP server on the ASA firewall.


2. Add this piece of command :-

For versions 7.x and 8.0 using the inspect command:

Add PPTP inspection to the default policy-map using the default class-map.

pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#inspect pptp

3. Inspects PPTP traffic via PAT.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#global (outside) 1 interface
!
!
4. Allow outside access to get to the host,
access-list outside_access_in extended permit tcp any host 125.125.125.126 eq 1723
!
5. Arp entry to the ASA box
!
arp outside 125.125.125.126 001d.abcd.7cf8 alias
!
!
6. Static NAT from the outisde IP to the inside IP.
static (inside,outside) tcp 125.125.125.126 1723 172.16.1.2 1723 netmask 255.255.255.255
!

!
write mem
!

Question :-
1) Pls advice if I am missing anything else for this setup ?    
2) What are the relevant show commands should I be using to check if this is working ?  I am pretty new
   to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?

Thank you ,

Cheers

2 ACCEPTED SOLUTIONS

Accepted Solutions
Jon Marshall
VIP Community Legend

sanjaynadarajah wrote:

Hello Experts,

I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.

The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.



Question :-
1) Pls advice if I am missing anything else for this setup ?    
2) What are the relevant show commands should I be using to check if this is working ?  I am pretty new
   to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?

Thank you ,

Cheers

Can't read visio's but there is a specific document for allowing PPTP through an ASA/Pix firewall so you may want to check your config against that -

PPTP through firewall

Jon

View solution in original post

GRE will be allowed automatically with inspect pptp.

Pls. read this command reference link for inspect pptp:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.

The link that Joh provide has examples to allow PPTP. Pls. follow that. I am enclosing the same link again.

1. for client on the inside

2. for server on the inside.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

-KS

View solution in original post

4 REPLIES 4
Jon Marshall
VIP Community Legend

sanjaynadarajah wrote:

Hello Experts,

I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.

The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.



Question :-
1) Pls advice if I am missing anything else for this setup ?    
2) What are the relevant show commands should I be using to check if this is working ?  I am pretty new
   to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?

Thank you ,

Cheers

Can't read visio's but there is a specific document for allowing PPTP through an ASA/Pix firewall so you may want to check your config against that -

PPTP through firewall

Jon

View solution in original post

Panos Kampanakis
Cisco Employee

In other words you will need

policy-map global_policy

     class inspection_default

          inspect ppt

And opening up gre on your interface.

I hope it helps.

PK

GRE will be allowed automatically with inspect pptp.

Pls. read this command reference link for inspect pptp:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.

The link that Joh provide has examples to allow PPTP. Pls. follow that. I am enclosing the same link again.

1. for client on the inside

2. for server on the inside.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

-KS

View solution in original post

sanjaynadarajah
Beginner

Well from this  URL : http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml, it seems that the inspect command is only used if the PPTP client is behind the ASA box. In my setup, the PPTP client is at a different location.

So it looks to me what is needed here is the ACL and the static NAT.

Thank you,

Cheers.

Content for Community-Ad