Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Putting a PPTP server behing an ASA firewall ...

Hello Experts,

I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.

The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.

The way I plan to do this is as follows :-
1. Create a static NAT for the PPTP server on the ASA firewall.


2. Add this piece of command :-

For versions 7.x and 8.0 using the inspect command:

Add PPTP inspection to the default policy-map using the default class-map.

pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#inspect pptp

3. Inspects PPTP traffic via PAT.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#global (outside) 1 interface
!
!
4. Allow outside access to get to the host,
access-list outside_access_in extended permit tcp any host 125.125.125.126 eq 1723
!
5. Arp entry to the ASA box
!
arp outside 125.125.125.126 001d.abcd.7cf8 alias
!
!
6. Static NAT from the outisde IP to the inside IP.
static (inside,outside) tcp 125.125.125.126 1723 172.16.1.2 1723 netmask 255.255.255.255
!

!
write mem
!

Question :-
1) Pls advice if I am missing anything else for this setup ?    
2) What are the relevant show commands should I be using to check if this is working ?  I am pretty new
   to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?

Thank you ,

Cheers

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: Putting a PPTP server behing an ASA firewall ...

sanjaynadarajah wrote:

Hello Experts,

I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.

The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.



Question :-
1) Pls advice if I am missing anything else for this setup ?    
2) What are the relevant show commands should I be using to check if this is working ?  I am pretty new
   to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?

Thank you ,

Cheers

Can't read visio's but there is a specific document for allowing PPTP through an ASA/Pix firewall so you may want to check your config against that -

PPTP through firewall

Jon

Cisco Employee

Re: Putting a PPTP server behing an ASA firewall ...

GRE will be allowed automatically with inspect pptp.

Pls. read this command reference link for inspect pptp:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.

The link that Joh provide has examples to allow PPTP. Pls. follow that. I am enclosing the same link again.

1. for client on the inside

2. for server on the inside.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

-KS

4 REPLIES
Hall of Fame Super Blue

Re: Putting a PPTP server behing an ASA firewall ...

sanjaynadarajah wrote:

Hello Experts,

I have a scenario whereby the PPTP server is internet facing. Refer to the current setup.

The aim is to do the new setup which is to put the PPTP server behind the Cisco ASA firewall.



Question :-
1) Pls advice if I am missing anything else for this setup ?    
2) What are the relevant show commands should I be using to check if this is working ?  I am pretty new
   to this kind of setup.
3) Do I need to allow forwading GRE protocol type 47 ?
3) Any good URL's that have this information ?

Thank you ,

Cheers

Can't read visio's but there is a specific document for allowing PPTP through an ASA/Pix firewall so you may want to check your config against that -

PPTP through firewall

Jon

Cisco Employee

Re: Putting a PPTP server behing an ASA firewall ...

In other words you will need

policy-map global_policy

     class inspection_default

          inspect ppt

And opening up gre on your interface.

I hope it helps.

PK

Cisco Employee

Re: Putting a PPTP server behing an ASA firewall ...

GRE will be allowed automatically with inspect pptp.

Pls. read this command reference link for inspect pptp:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.

The link that Joh provide has examples to allow PPTP. Pls. follow that. I am enclosing the same link again.

1. for client on the inside

2. for server on the inside.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

-KS

Community Member

Re: Putting a PPTP server behing an ASA firewall ...

Well from this  URL : http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml, it seems that the inspect command is only used if the PPTP client is behind the ASA box. In my setup, the PPTP client is at a different location.

So it looks to me what is needed here is the ACL and the static NAT.

Thank you,

Cheers.

2460
Views
3
Helpful
4
Replies
CreatePlease to create content