06-17-2008 12:25 PM - edited 03-11-2019 06:00 AM
I'm used to IPSEC and have never setup a GRE/PPTP with a Cisco ASA before. The customer are using Outlook sync on their mobile and some are using Microsoft VPN client to reach the internal network from the outside. We are replacing an old Linux based firewall that is configured with PPTP/GRE. The following example is from Cisco and is named Permitting PPTP/L2TP Connections Through the PIX/ASA
Downloads
Permitting PPTP/L2TP Connections Through the PIX/ASA
Document ID: 18806
Commands to Add for Versions 7.x and 8.0 using inspection
Complete these steps to add commands for versions 7.x and 8.0 using the inspect command:
Add PPTP inspection to the default policy-map using the default class-map.
pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#inspect pptp
You do not need to define a static mapping because the PIX now inspects PPTP traffic. You can use PAT.
pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#global (outside) 1 interface
OR
Commands to Add for Versions 7.x and 8.0 using ACL
Complete these steps to add commands for versions 7.x and 8.0 using ACL.
Define the static mapping for the inside PC. The address seen on the outside is 192.168.201.5.
pixfirewall(config)#static (inside,outside) 192.168.201.5 10.48.66.106
netmask 255.255.255.255 0 0
Configure and apply the ACL to permit the GRE return traffic from the PPTP server to the PPTP client.
pixfirewall(config)#access-list acl-out permit gre host 192.168.201.25
host 192.168.201.5
pixfirewall(config)#access-list acl-out permit tcp host 192.168.201.25
host 192.168.201.5 eq 1723
Apply the ACL.
pixfirewall(config)#access-group acl-out in interface outside
We have a 255.255.255.252 subnet from our ISP and have one available public IP adress on the outside. That means that we have to use NAT/PAT between the outside and inside interface. The example mentions that when you enable inspect pptp you don't need to define a static mapping and PAT can be used. I'm confused! Is this all that is neccessary when you enable inspect pptp?
06-17-2008 06:42 PM
The commands you mention are for Client inside scenario I think, if I read correctly yours' is the Server inside Client outside case, have a look at this:
Regards
Farrukh
06-18-2008 01:33 AM
PPTP with the Client Outside and the Server Inside. access-list acl-out permit gre host 192.168.201.25 host 192.168.201.5
access-list acl-out permit tcp host 192.168.201.25 host 192.168.201.5 eq 1723
static (inside,outside) 192.168.201.5 10.48.66.106 netmask 255.255.255.255 0 0
access-group acl-out in interface outside This example are using Static NAT but we have to use PAT (with port redirection?) This works with the old firewall.
06-18-2008 02:19 AM
Hi,
I don't think you can use port forwarding in your case because PPTP uses TCP/1721 and GRE PROTOCOL 47. port forwarding works for TCP or UDP
Your only option is one to one static NAT as in the example provided by Cisco
I hope it helps .. !!! please rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: