Alow PPTP vpn connections through the ASA

robertcottrill · ‎10-30-2014

We have a cisco asa 5520 set up to filter our internet traffic.

We are fairly locked down in what we allow out to the internet and this is how it was historically set up.

I want to make a sub group for IT to allow more ports / services out to the internet.

I am doing this off static IP's which have been assigned to the select few users I want to be able to do this, Set up a group on the ASA and added the objects into this group.

Made a ACL for the ports and services I want them to use. This seems to be working for every other service I want to allow (FTP etc) apart from PPTP VPN.

I have added GRE & PPTP to the ACL, When I try to connect to the VPN it gets to 'Verifying your credentials' (Further than it did before the allow rule) and then gives me an error code of 806 and something to do with GRE. (See attached)

In service Policy rules I have also enabled inspect PPTP on the inspection_default policy.

Log messages (I have changed IP's):

Built outbound GRE connection 329812969 from inside:11.126.44.198 (71.173.171.158) to outside:76.128.210.71/5965 (76.128.210.71/5965)

Teardown GRE connection 329812969 from inside:11.126.44.198 to outside:76.128.210.71/5965

Am I missing something here or should this work?

I would rather use the ADSM manager than terminal to configure the device.

Marvin Rhoads · ‎10-30-2014

I have it working on a 5585-X (and it was also fine on the 5550 that preceded it) with:

1. an ACL allowing PPTP and GRE

2. a static NAT for the server

3. inspection of PPTP.

With those three bits, it'w working fine for me.