5

Is it possible to setup PPTP VPN traffic (clients outside and server inside) to passthrough a Cisco ASA 5505 if the outside IP address is also being used for PAT?

The Cisco examples forward all NAT traffic from the outside to the inside VPN server. I only have one IP available currently and need PAT.

ITGuy24
  • 1,576
  • 1
  • 15
  • 29

3 Answers3

5

The stock ASA configuration does not include support for PPTP passthrough by default -- crazy as to why. Cisco TAC likely gets a handful of cases related to this...

There are at most three things required to get PPTP working through an ASA

If server is behind ASA

  1. Configure necessary NAT/PAT if using NAT/PAT (Optional but usually required)
  2. ACL permit TCP/1723 to server/IP (whether real, mapped, or interface depends on ASA version)
  3. Enable PPTP inspection
    • Explicit ACL permit for GRE is not necessary

If client is behind ASA

  1. Enable PPTP inspection

Server example

  • ASA outside interface IP 1.1.1.2/30
  • Server inside IP 10.0.0.10/24
  • Static PAT (port forwarding) TCP/1723 using ASA outside interface IP

ASA 8.3 and newer (with focus on objects)

object network hst-10.0.0.10
 description Server
 host 10.0.0.10
object network hst-10.0.0.10-tcp1723
 description Server TCP/1723 Static PAT Object
 host 10.0.0.10
 nat (inside,outside) static interface service tcp 1723 1723

object-group service svcgrp-10.0.0.10 tcp
 port-object eq 1723

access-list outside_access_in extended permit tcp any object hst-10.0.0.10 object-group svcgrp-10.0.0.10-tcp
access-group outside_access_in in interface outside

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

ASA 8.2 and prior

access-list outside_access_in extended permit tcp any interface outside eq 1723

access-group outside_access_in in interface outside

static (inside,outside) tcp interface 1723 10.0.0.10 1723 netmask 255.255.255.255

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

Client example

Valid for all ASA OS versions

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

If these examples don't fit your scenario post your specifics and we can customize a config for you.

Weaver
  • 1,932
  • 11
  • 12
  • This is one of the best answers I've seen. All versions, both directions. Very well done. Small question: In the server example, ASA 8.3, when you refer to "object hst-10.0.0.10" in the access-list, shouldn't that be "object hst-10.0.0.10-tcp1723"? Should we refer to the object with the nat, or just the server in general? Or does it not matter? – James Newton Jan 23 '16 at 00:19
  • 1
    @JamesNewton Technically it doesn't matter since the host defined in both hst-10.0.0.10 and hst-10.0.0.10-tcp1723 objects is the same. However, I would recommend using the objects as indicated given the ASA's wonky way of static PAT in ASA 8.3+. The hst-10.0.0.10 object is used to define the host in an ACL's ACE. The svcgrp-10.0.0.10-tcp object is used to define all ports permitted (can contain multiple ports in the same object). The hst-10.0.0.10-tcp1723 object is never used in ACL - it is only used to define the static PAT behavior, one object per port needed - ASA limitation. – Weaver Oct 03 '17 at 01:55
0

Yes, this is perfectly possible (and how I use PPTP here).

  1. Create a firewall rule on the access list thats bound to your OUTSIDE interface to allow any incoming packets using pptp to pass.
  2. Create a NAT rule on the inside interface that redirects all incoming packets on the pptp port to an internal server
pauska
  • 19,532
  • 4
  • 55
  • 75
  • I have done this, plus allowed GRE traffic as well, but it still isn't working. I can see hits on the PPTP rule when making connection attempts, but nothing is hitting the GRE rule. – ITGuy24 Apr 14 '10 at 12:46
  • Cisco ASA has a protocol proxy for PPTP, you should not need to forward GRE. – pauska Apr 15 '10 at 08:52
0

You need to also "inspect" the PPTP traffic. Adding that fixed the problem for me.

Nic
  • 31
  • 3