cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2462
Views
0
Helpful
8
Replies

Port forwarding pptp on ASA 8.04

gordonmarkus
Level 1
Level 1

Hi everyone,

I've got a bit of an odd scenario here, and I hope that someone may have come across is before.

I have a customer that is in the process of migratring from a netgear infrastructure to a cisco infrastructure, which is going to include an ASA5510 as the perimiter firewall. I have got the ASA up and running, and everything is working fine - except that I need to forward pptp (port 1723) to a server on the LAN. There are numerous other services (smtp, pop3, various web services) that I have successfully forwarded using port address translation to the outside interface, but for some reason pptp just won't work in this way.

When I look in the debug/syslog, it seems as though the TCP sessions establish and get torn down normally - so it's almost like nothing is wrong, but from the client perspective they just see the message 'verifying username & password' and eventually the session fails.

Here's some config extracts of what I have done - for example, port 100 is forward and works ok:

static (inside,outside) tcp interface 100 al-pri 100 netmask 255.255.255.255

access list:

object-group service Intranet tcp

port-object eq 100

access-list outside_access_in remark WAN->LAN Intranet to AL-PRI

access-list outside_access_in extended permit tcp any host al-pri object-group Intranet

and for the pptp forwarding, which isn't working:

static (inside,outside) tcp interface pptp al-pri pptp netmask 255.255.255.255

static (inside,outside) tcp interface 47 al-pri 47 netmask 255.255.255.255

object-group service VPN_Ports tcp

description PPTP VPN Ports

port-object eq 47

port-object eq pptp

access-list outside_access_in remark WAN->LAN VPN to AL-PRI

access-list outside_access_in extended permit tcp any host al-pri object-group VPN_Ports log debugging

Any help or advice would be really appreciated.

Regards,

-Gordon

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

Gordon

I believe PPTP also relies on GRE which is protocol 47 (from memory). So you can't port forward GRE because it has no port number to translate. So you would need a 1 to 1 mapping.

Unless i have misunderstood the question ?

Edit - you must have added the config part after i posted. Jorge is correct in what he says about your static statement for port 47 - it won't work.

Jon

Gordon, I agree with Jon ..

static (inside,outside) tcp interface 47 al-pri 47 netmask 255.255.255.255

what u are forwarding here is tcp port 47, I do not believe this is the case of protocol 47 GRE,

you will need an actual one-to-one nat traslation for the PPTP server insdide LAN unless there is another way of doing it..but would have to lab it out..

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

[edit]

you can try

static (inside,outside) interface [pptp_server_ip] netmask 255.255.255.255

and allow GRE via acl... not sure if would work.

Regards

Jorge Rodriguez

Hi everyone,

Thanks for your responses and interest in this thread. Apologies for the slight delay in responding, but it was a long day on site, following by a long night and another long day today... anyway....

We basically have a working solution now, but we were unable to get the 'port forwarding' type solution working with pptp/GRE.

In the specific scenario that I was working on, the customer had 2 pptp servers, one which was to be NAT'd to the public IP of the outside interface of the ASA, and the other that could be NAT'd to a spare public IP address. Luckily, the majority of the users (400 or so) in the customer environment that have to remain on the pptp service are going to be using the server that is NAT'd to the spare address - i.e we have a one to one static NAT from the pptp server on the DMZ to the public IP on the outside interface. As there are going to only be approx 30 users that were going to be using the other pptp server, the customer has agreed that the way forward is to roll out Cisco VPN client to these users when the time comes to migrate.

Thanks for highlighting my config issue with confusing port 47 with protocol 47! That definitely wasn't helping either!

Regards,

-Gordon

Gordon,

Thanks for the update, Im sure we were all wandering about your reply..

Ipsec VPN is indeed a better solution, specially becuase of the limitations of PPTP and GRE process , in fact I have read few articles on PPTP weekness and do not realy provide high end security ..easily hackable .

With IPsec VPN RA you do not have the limitation for one-to-one NAT as far as I know since you are terminating the tunnel in the ASA outside interface..

Good luck

Regards

Jorge

Jorge Rodriguez

Dear Sir

Have a nice day

In my net work I make the inter net connection through the Cisco firewall ASA5510 and I have one real IP from the ISP .

The problem is that I don't how could I forword the ports through the firewall to make my mail and web server work like (SMTP, POP3,HTTP,) and some port.

Please can you help me to make the fire wall forwarding the ports through one real IP and send me the comments or tell me if you have another solution

Thank you for help

Best regards

Saad,

Can you please start new thread on your question.

Under firewalling create new thread so that it does not get this thread confused with PPTP.

Regards

Jorge Rodriguez

"in fact I have read few articles on PPTP weekness and do not realy provide high end security ..easily hackable ."

I am not a friend of Microsoft but I think this

statement is unfair.

PPTP is just as secure as other VPN technologies

when implemented properly. Checkpoint, Cisco,

Juniper and Aventail all have their shares of

weaknesses. I myself do not use PPTP in a

production environment but I think it is a

reasonably secure VPN technology when used

properly.

my 2c.

Sure I can buy that, I guess one will really need to dissect the whole MS VPN PPTP to validate what has been read !! that statement was an educated statement.. you can prety much google it and you will find many articles.

but in my readings on this about a years ago, a particular article which I have it somewhere had a thorough analysis of MS VPN weaknesses and how easily could be compromised scared me .

If you have a link on " when used properly " or guideline I'll be interested in reading it.

Right now if MS PPTP was a last resort to used I would place it on a DMZ with real tied rules and probably enforce minimum password length and/or password resets regularly for users , but still I would have to be convinced that there is a better way and that is real secure.

There are good links here down the page External Links on several articles on it.

http://en.wikipedia.org/wiki/PPTP

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: