cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3172
Views
3
Helpful
4
Replies

Putting a PPTP server behing an ASA firewall ...

sanjaynadarajah
Level 1
Level 1

Hello Experts,

I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.

The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.

The way I plan to do this is as follows :-
1. Create a static NAT for the PPTP server on the ASA firewall.


2. Add this piece of command :-

For versions 7.x and 8.0 using the inspect command:

Add PPTP inspection to the default policy-map using the default class-map.

pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#inspect pptp

3. Inspects PPTP traffic via PAT.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#global (outside) 1 interface
!
!
4. Allow outside access to get to the host,
access-list outside_access_in extended permit tcp any host 125.125.125.126 eq 1723
!
5. Arp entry to the ASA box
!
arp outside 125.125.125.126 001d.abcd.7cf8 alias
!
!
6. Static NAT from the outisde IP to the inside IP.
static (inside,outside) tcp 125.125.125.126 1723 172.16.1.2 1723 netmask 255.255.255.255
!

!
write mem
!

Question :-
1) Pls advice if I am missing anything else for this setup ?    
2) What are the relevant show commands should I be using to check if this is working ?  I am pretty new
   to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?

Thank you ,

Cheers

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

sanjaynadarajah wrote:

Hello Experts,

I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.

The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.



Question :-
1) Pls advice if I am missing anything else for this setup ?    
2) What are the relevant show commands should I be using to check if this is working ?  I am pretty new
   to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?

Thank you ,

Cheers

Can't read visio's but there is a specific document for allowing PPTP through an ASA/Pix firewall so you may want to check your config against that -

PPTP through firewall

Jon

View solution in original post

GRE will be allowed automatically with inspect pptp.

Pls. read this command reference link for inspect pptp:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.

The link that Joh provide has examples to allow PPTP. Pls. follow that. I am enclosing the same link again.

1. for client on the inside

2. for server on the inside.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

-KS

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

sanjaynadarajah wrote:

Hello Experts,

I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.

The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.



Question :-
1) Pls advice if I am missing anything else for this setup ?    
2) What are the relevant show commands should I be using to check if this is working ?  I am pretty new
   to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?

Thank you ,

Cheers

Can't read visio's but there is a specific document for allowing PPTP through an ASA/Pix firewall so you may want to check your config against that -

PPTP through firewall

Jon

Panos Kampanakis
Cisco Employee
Cisco Employee

In other words you will need

policy-map global_policy

     class inspection_default

          inspect ppt

And opening up gre on your interface.

I hope it helps.

PK

GRE will be allowed automatically with inspect pptp.

Pls. read this command reference link for inspect pptp:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.

The link that Joh provide has examples to allow PPTP. Pls. follow that. I am enclosing the same link again.

1. for client on the inside

2. for server on the inside.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

-KS

sanjaynadarajah
Level 1
Level 1

Well from this  URL : http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml, it seems that the inspect command is only used if the PPTP client is behind the ASA box. In my setup, the PPTP client is at a different location.

So it looks to me what is needed here is the ACL and the static NAT.

Thank you,

Cheers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: