I'm used to IPSEC and have never setup a GRE/PPTP with a Cisco ASA before. The customer are using Outlook sync on their mobile and some are using Microsoft VPN client to reach the internal network from the outside. We are replacing an old Linux based firewall that is configured with PPTP/GRE. The following example is from Cisco and is named Permitting PPTP/L2TP Connections Through the PIX/ASA
Permitting PPTP/L2TP Connections Through the PIX/ASA
Document ID: 18806
Commands to Add for Versions 7.x and 8.0 using inspection
Complete these steps to add commands for versions 7.x and 8.0 using the inspect command:
Add PPTP inspection to the default policy-map using the default class-map.
You do not need to define a static mapping because the PIX now inspects PPTP traffic. You can use PAT.
pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#global (outside) 1 interface
Commands to Add for Versions 7.x and 8.0 using ACL
Complete these steps to add commands for versions 7.x and 8.0 using ACL.
Define the static mapping for the inside PC. The address seen on the outside is 192.168.201.5.
pixfirewall(config)#static (inside,outside) 192.168.201.5 10.48.66.106
netmask 255.255.255.255 0 0
Configure and apply the ACL to permit the GRE return traffic from the PPTP server to the PPTP client.
pixfirewall(config)#access-list acl-out permit gre host 192.168.201.25
pixfirewall(config)#access-list acl-out permit tcp host 192.168.201.25
host 192.168.201.5 eq 1723
Apply the ACL.
pixfirewall(config)#access-group acl-out in interface outside
We have a 255.255.255.252 subnet from our ISP and have one available public IP adress on the outside. That means that we have to use NAT/PAT between the outside and inside interface. The example mentions that when you enable inspect pptp you don't need to define a static mapping and PAT can be used. I'm confused! Is this all that is neccessary when you enable inspect pptp?