GRE/PPTP and Cisco ASA 5505

jan.frode.sjursen · ‎06-17-2008

I'm used to IPSEC and have never setup a GRE/PPTP with a Cisco ASA before. The customer are using Outlook sync on their mobile and some are using Microsoft VPN client to reach the internal network from the outside. We are replacing an old Linux based firewall that is configured with PPTP/GRE. The following example is from Cisco and is named Permitting PPTP/L2TP Connections Through the PIX/ASA

Downloads

Permitting PPTP/L2TP Connections Through the PIX/ASA

Document ID: 18806

Commands to Add for Versions 7.x and 8.0 using inspection

Complete these steps to add commands for versions 7.x and 8.0 using the inspect command:

Add PPTP inspection to the default policy-map using the default class-map.

pixfirewall(config)#policy-map global_policy

pixfirewall(config-pmap)#class inspection_default

pixfirewall(config-pmap-c)#inspect pptp

You do not need to define a static mapping because the PIX now inspects PPTP traffic. You can use PAT.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0

pixfirewall(config)#global (outside) 1 interface

OR

Commands to Add for Versions 7.x and 8.0 using ACL

Complete these steps to add commands for versions 7.x and 8.0 using ACL.

Define the static mapping for the inside PC. The address seen on the outside is 192.168.201.5.

pixfirewall(config)#static (inside,outside) 192.168.201.5 10.48.66.106

netmask 255.255.255.255 0 0

Configure and apply the ACL to permit the GRE return traffic from the PPTP server to the PPTP client.

pixfirewall(config)#access-list acl-out permit gre host 192.168.201.25

host 192.168.201.5

pixfirewall(config)#access-list acl-out permit tcp host 192.168.201.25

host 192.168.201.5 eq 1723

Apply the ACL.

pixfirewall(config)#access-group acl-out in interface outside

We have a 255.255.255.252 subnet from our ISP and have one available public IP adress on the outside. That means that we have to use NAT/PAT between the outside and inside interface. The example mentions that when you enable inspect pptp you don't need to define a static mapping and PAT can be used. I'm confused! Is this all that is neccessary when you enable inspect pptp?

Farrukh Haroon · ‎06-17-2008

The commands you mention are for Client inside scenario I think, if I read correctly yours' is the Server inside Client outside case, have a look at this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#pptpwith

Regards

Farrukh

jan.frode.sjursen · ‎06-18-2008

PPTP with the Client Outside and the Server Inside. access-list acl-out permit gre host 192.168.201.25 host 192.168.201.5

access-list acl-out permit tcp host 192.168.201.25 host 192.168.201.5 eq 1723

static (inside,outside) 192.168.201.5 10.48.66.106 netmask 255.255.255.255 0 0

access-group acl-out in interface outside This example are using Static NAT but we have to use PAT (with port redirection?) This works with the old firewall.

Fernando_Meza · ‎06-18-2008

Hi,

I don't think you can use port forwarding in your case because PPTP uses TCP/1721 and GRE PROTOCOL 47. port forwarding works for TCP or UDP

Your only option is one to one static NAT as in the example provided by Cisco

I hope it helps .. !!! please rate helpful posts