cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
47236
Views
25
Helpful
12
Replies

How to allow PPTP VPN Access through ASA

Hi guys,

I have to allow the customers to VPN into an internal PPTP server located behind the ASA firewall and running on a Windows 2K8 server machine.

I've found that the configuration differs on the version of ASA. I am running ASA Version 8.2(5).

There are many rules in place and I would keep them. Many guides I've found are bad as they push the reader to delete the existing rules instead of adding the new ones.

Can you please let me know how to do? (If possible via ADSM) and if I have to expect issues when I will decide to upgrade my ASA?

Thanks,

Dario

3 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to configure static NAT translation as I believe the PPTP traffic is inbound from the Internet.

Then you would need to allow the PPTP traffic through on the outside interface: TCP/1723

Then you would need to enable PPTP inspection: inspect pptp

View solution in original post

Assuming your PPTP server is connected to the inside interface:

static (inside,outside) netmask 255.255.255.255

access-list permit tcp any host eq 1723

policy-map global_policy

  class inspection_default

     inspect pptp

View solution in original post

Yes thanks this worked....

object network VPN-TCP

host 192.168.1.2

nat (inside,outside) static interface service tcp pptp pptp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object gre

access-list outside_access_in_1 extended permit gre any host 192.168.1.2

access-list outside_access_in_1 remark VPN TCP Connection

access-list outside_access_in_1 extended permit tcp any object VPN-TCP eq pptp

access-list outside_access_in_1 remark VPN UDP Connection

policy-map global_policy

class inspection_default

  inspect pptp

!

Relpacing the Ip with my PPTP HOST IP..

Thanks again..

View solution in original post

12 Replies 12

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to configure static NAT translation as I believe the PPTP traffic is inbound from the Internet.

Then you would need to allow the PPTP traffic through on the outside interface: TCP/1723

Then you would need to enable PPTP inspection: inspect pptp

Hi Jennifer,

Sorry to bother you again but today I have no access to ADSM as I am working from remote and I can only access via ssh.

Could you please tell me which commands are necessary to allow the PPTP to the internal server?

I have a public IP dedicated to that server. so I have to forward all the IP traffic to it...

Thanks,

Dario

Assuming your PPTP server is connected to the inside interface:

static (inside,outside) netmask 255.255.255.255

access-list permit tcp any host eq 1723

policy-map global_policy

  class inspection_default

     inspect pptp

So if I am behind a ASA 5505 on 8.4 and need to connect out to my corperate pptp VPN.. what would I need to do?

It used to work correctly, but something got changed, and now it wont work, I temp fixed it by staticly assigning 1 IP to be allowed, but this is PITA, for laptop user who come to my office.. ASDM or CLI is fine..

Thx

Asa 8.4 requires GRE. Assuming 192.168.1.2 is my pptp server, I used the following config on my ASA 5505... try if it works also for you.

object network VPN-TCP

host 192.168.1.2

object network VPN-TCP

nat (inside,outside) static interface service tcp pptp pptp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object gre

access-list outside_access_in_1 extended permit gre any host 192.168.1.2

access-list outside_access_in_1 remark VPN TCP Connection

access-list outside_access_in_1 extended permit tcp any object VPN-TCP eq pptp

access-list outside_access_in_1 remark VPN UDP Connection

policy-map global_policy

class inspection_default

  inspect pptp

!

After this line:

nat (inside,outside) static interface service tcp pptp pptp

I get this

ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded

Am I do it wrong?

YZ-FW(config)# object network VPN-TCP

YZ-FW(config-network-object)# nat (inside,outside) static interface service tcp pptp pptp

ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded

YZ-FW(config-network-object)#

Sorry. Before that line you should add something like this to define the group:

object network VPN-TCP

host 192.168.1.2

Dario

Yes thanks this worked....

object network VPN-TCP

host 192.168.1.2

nat (inside,outside) static interface service tcp pptp pptp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object gre

access-list outside_access_in_1 extended permit gre any host 192.168.1.2

access-list outside_access_in_1 remark VPN TCP Connection

access-list outside_access_in_1 extended permit tcp any object VPN-TCP eq pptp

access-list outside_access_in_1 remark VPN UDP Connection

policy-map global_policy

class inspection_default

  inspect pptp

!

Relpacing the Ip with my PPTP HOST IP..

Thanks again..

now what do you know about putting a Sprint Airave in a DMZ?  lol

I had it working, now i changed somethign , and it wont work.. New thread..lol

I guess you have to open a new thread.

I can't help you with this issue :-)

yasona1978
Level 1
Level 1

Thank you 

 inspect pptp was my issue