02-17-2010 08:01 PM - edited 03-11-2019 10:11 AM
Hello Experts,
I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.
The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.
The way I plan to do this is as follows :-
1. Create a static NAT for the PPTP server on the ASA firewall.
2. Add this piece of command :-
For versions 7.x and 8.0 using the inspect command:
Add PPTP inspection to the default policy-map using the default class-map.
pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#inspect pptp
3. Inspects PPTP traffic via PAT.
pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#global (outside) 1 interface
!
!
4. Allow outside access to get to the host,
access-list outside_access_in extended permit tcp any host 125.125.125.126 eq 1723
!
5. Arp entry to the ASA box
!
arp outside 125.125.125.126 001d.abcd.7cf8 alias
!
!
6. Static NAT from the outisde IP to the inside IP.
static (inside,outside) tcp 125.125.125.126 1723 172.16.1.2 1723 netmask 255.255.255.255
!
!
write mem
!
Question :-
1) Pls advice if I am missing anything else for this setup ?
2) What are the relevant show commands should I be using to check if this is working ? I am pretty new
to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?
Thank you ,
Cheers
Solved! Go to Solution.
02-18-2010 05:21 AM
sanjaynadarajah wrote:
Hello Experts,
I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.
The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.
Question :-
1) Pls advice if I am missing anything else for this setup ?
2) What are the relevant show commands should I be using to check if this is working ? I am pretty new
to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?Thank you ,
Cheers
Can't read visio's but there is a specific document for allowing PPTP through an ASA/Pix firewall so you may want to check your config against that -
Jon
02-18-2010 04:02 PM
GRE will be allowed automatically with inspect pptp.
Pls. read this command reference link for inspect pptp:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718
When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.
The link that Joh provide has examples to allow PPTP. Pls. follow that. I am enclosing the same link again.
1. for client on the inside
2. for server on the inside.
-KS
02-18-2010 05:21 AM
sanjaynadarajah wrote:
Hello Experts,
I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.
The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.
Question :-
1) Pls advice if I am missing anything else for this setup ?
2) What are the relevant show commands should I be using to check if this is working ? I am pretty new
to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?Thank you ,
Cheers
Can't read visio's but there is a specific document for allowing PPTP through an ASA/Pix firewall so you may want to check your config against that -
Jon
02-18-2010 01:15 PM
In other words you will need
policy-map global_policy
class inspection_default
inspect ppt
And opening up gre on your interface.
I hope it helps.
PK
02-18-2010 04:02 PM
GRE will be allowed automatically with inspect pptp.
Pls. read this command reference link for inspect pptp:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718
When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.
The link that Joh provide has examples to allow PPTP. Pls. follow that. I am enclosing the same link again.
1. for client on the inside
2. for server on the inside.
-KS
02-21-2010 12:28 AM
Well from this URL : http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml, it seems that the inspect command is only used if the PPTP client is behind the ASA box. In my setup, the PPTP client is at a different location.
So it looks to me what is needed here is the ACL and the static NAT.
Thank you,
Cheers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: