06-18-2012 02:04 AM
Hi guys,
I have to allow the customers to VPN into an internal PPTP server located behind the ASA firewall and running on a Windows 2K8 server machine.
I've found that the configuration differs on the version of ASA. I am running ASA Version 8.2(5).
There are many rules in place and I would keep them. Many guides I've found are bad as they push the reader to delete the existing rules instead of adding the new ones.
Can you please let me know how to do? (If possible via ADSM) and if I have to expect issues when I will decide to upgrade my ASA?
Thanks,
Dario
Solved! Go to Solution.
06-18-2012 06:04 AM
You would need to configure static NAT translation as I believe the PPTP traffic is inbound from the Internet.
Then you would need to allow the PPTP traffic through on the outside interface: TCP/1723
Then you would need to enable PPTP inspection: inspect pptp
06-20-2012 10:47 PM
Assuming your PPTP server is connected to the inside interface:
static (inside,outside)
access-list
policy-map global_policy
class inspection_default
inspect pptp
07-23-2012 07:17 PM
Yes thanks this worked....
object network VPN-TCP
host 192.168.1.2
nat (inside,outside) static interface service tcp pptp pptp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
access-list outside_access_in_1 extended permit gre any host 192.168.1.2
access-list outside_access_in_1 remark VPN TCP Connection
access-list outside_access_in_1 extended permit tcp any object VPN-TCP eq pptp
access-list outside_access_in_1 remark VPN UDP Connection
policy-map global_policy
class inspection_default
inspect pptp
!
Relpacing the Ip with my PPTP HOST IP..
Thanks again..
06-18-2012 06:04 AM
You would need to configure static NAT translation as I believe the PPTP traffic is inbound from the Internet.
Then you would need to allow the PPTP traffic through on the outside interface: TCP/1723
Then you would need to enable PPTP inspection: inspect pptp
06-20-2012 08:48 PM
Hi Jennifer,
Sorry to bother you again but today I have no access to ADSM as I am working from remote and I can only access via ssh.
Could you please tell me which commands are necessary to allow the PPTP to the internal server?
I have a public IP dedicated to that server. so I have to forward all the IP traffic to it...
Thanks,
Dario
06-20-2012 10:47 PM
Assuming your PPTP server is connected to the inside interface:
static (inside,outside)
access-list
policy-map global_policy
class inspection_default
inspect pptp
07-23-2012 03:12 PM
So if I am behind a ASA 5505 on 8.4 and need to connect out to my corperate pptp VPN.. what would I need to do?
It used to work correctly, but something got changed, and now it wont work, I temp fixed it by staticly assigning 1 IP to be allowed, but this is PITA, for laptop user who come to my office.. ASDM or CLI is fine..
Thx
07-23-2012 06:11 PM
Asa 8.4 requires GRE. Assuming 192.168.1.2 is my pptp server, I used the following config on my ASA 5505... try if it works also for you.
object network VPN-TCP
host 192.168.1.2
object network VPN-TCP
nat (inside,outside) static interface service tcp pptp pptp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
access-list outside_access_in_1 extended permit gre any host 192.168.1.2
access-list outside_access_in_1 remark VPN TCP Connection
access-list outside_access_in_1 extended permit tcp any object VPN-TCP eq pptp
access-list outside_access_in_1 remark VPN UDP Connection
policy-map global_policy
class inspection_default
inspect pptp
!
07-23-2012 06:23 PM
After this line:
nat (inside,outside) static interface service tcp pptp pptp
I get this
ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded
Am I do it wrong?
YZ-FW(config)# object network VPN-TCP
YZ-FW(config-network-object)# nat (inside,outside) static interface service tcp pptp pptp
ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded
YZ-FW(config-network-object)#
07-23-2012 06:57 PM
Sorry. Before that line you should add something like this to define the group:
object network VPN-TCP
host 192.168.1.2
Dario
07-23-2012 07:17 PM
Yes thanks this worked....
object network VPN-TCP
host 192.168.1.2
nat (inside,outside) static interface service tcp pptp pptp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
access-list outside_access_in_1 extended permit gre any host 192.168.1.2
access-list outside_access_in_1 remark VPN TCP Connection
access-list outside_access_in_1 extended permit tcp any object VPN-TCP eq pptp
access-list outside_access_in_1 remark VPN UDP Connection
policy-map global_policy
class inspection_default
inspect pptp
!
Relpacing the Ip with my PPTP HOST IP..
Thanks again..
07-23-2012 07:19 PM
No worries mate.
07-23-2012 07:21 PM
now what do you know about putting a Sprint Airave in a DMZ? lol
I had it working, now i changed somethign , and it wont work.. New thread..lol
07-23-2012 07:23 PM
I guess you have to open a new thread.
I can't help you with this issue :-)
07-08-2014 04:11 AM
Thank you
inspect pptp was my issue
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide