cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How to configure PPTP pass-through on FWSM version 2.x and 3.x

2606
Views
0
Helpful
0
Comments

Resolution

PPTP pass-through in version 2.x

In FWSM version 2.x, you can assign static translation for the client and open ports 1723 and protocol GRE so the PPTP client can be configured to pass-through the FWSM. Refer to this configuration example in order to accomplish this task:

static (inside,outside)   netmask 255.255.255.255
access-list outside_access_in permit tcp host  host eq 1723
access-list outside_access_in permit gre host host
access-group outside_access_in in interface outside

PPTP pass-through in version 3.x

In FWSM version 3.x, you can use the PPTP inspection engine so the PPTP client can be allowed to pass-through the FWSM. In order to enable PPTP application inspection or to change the ports to which the FWSM listens, use the inspect pptp command in class configuration mode. Class configuration mode is accessible from the policy map configuration mode. Enable the PPTP inspection engine as shown in this example, which creates a class map to match PPTP traffic on the default port (1723). The service policy is then applied to the outside interface.

hostname(config)#class-map pptp-port
hostname(config-cmap)#
match port tcp eq 1723
hostname(config-cmap)#exit
hostname(config)#
policy-map pptp_policy
hostname(config-pmap)#
class pptp-port
hostname(config-pmap-c)#inspect pptp
hostname(config-pmap-c)#exit
hostname(config)#
service-policy pptp_policy

                 interface outside

Content for Community-Ad