Allowing Microsoft PPTP through Cisco ASA
The Microsoft Point to Point Tunneling Protocol (PPTP) is used to create a Virtual Private Network (VPN) between a PPTP client and server. It is used for remote access from mobile users to connect back to their corporate network over the Internet. A PPTP client connects and authenticates to the PPTP server which assigns an IP address to the client and attaches the remote user to the network. After that, the remote user has full network connectivity just like being connected locally.
In the older PIX version 6.x, you could configure the PIX firewall itself to work as a PPTP server, thus you didn’t even need to have a Windows PPTP server in place. With the new ASA firewall however, you cannot terminate PPTP on the ASA itself. Therefore you must have a Microsoft PPTP server in the network in order to terminate PPTP connections from clients.
PPTP uses two protocols: GRE to encapsulate PPP packets and a control channel at TCP port 1723. Any stateful firewall would have a problem with allowing PPTP protocol without any special “fixup” because of the two protocols needed for communication (GRE and TCP 1723). Cisco ASA allows you to pass PPTP traffic through with a special “inspection” mechanism which checks the control traffic (TCP 1723) in order to dynamically open also access for GRE traffic to pass through with no problems.
In this post we will see two scenarios of allowing PPTP traffic through a Cisco ASA. In the first scenario we have a PPTP client on the inside of ASA which communicates with a PPTP server on the outside zone. In the second scenario we have a PPTP client on the outside of ASA which communicates with a PPTP server on the inside.
Scenario 1: PPTP client on inside and server on outside
The first scenario above depicts a PPTP server located on the outside of the ASA (Internet) and PPTP clients on the inside. Using the “nspect” command in the global policy-map we can enable access from inside to outside for PPTP.
! enable Port Address Translation on the outside interface
ciscoasa(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
ciscoasa(config)#global (outside) 1 interface
! Add PPTP inspection to the default policy-map using the default class-map
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect pptp
Scenario 2: PPTP client on outside and server on inside
This scenario depicts a PPTP server located on the inside network. Here we must configure static NAT for the PPTP server and allow the appropriate protocols from outside (GRE, TCP 1723)
! translate the PPTP server private address 192.168.1.1 to public 50.50.50.1
ciscoasa(config)# static (inside,outside) 50.50.50.1 192.168.1.1 netmask 255.255.255.255
! allow the appropriate protocols from outside to inside
ciscoasa(config)# access-list acl-out permit gre any host 50.50.50.1
ciscoasa(config)# access-list acl-out permit tcp any host 50.50.50.1 eq 1723
ciscoasa(config)# access-group acl-out in interface outside
Related posts:
- Cisco Router with Cisco ASA for Internet Access
- Access Lists and NAT on Cisco ASA Firewalls. Some Clarifications
- How to Configure Access Control Lists on a Cisco ASA 5500 Firewall
- Traffic Rate Limiting on Cisco ASA
- Configure Cisco ASA 5505 to allow Remote Desktop access from Internet
Filed under: Cisco ASA Configuration
Like this post? Subscribe to my RSS feed and get loads more!
Hi Harris,
i have a fairly similar situation, operating an OpenVPN server on the inside network reachable by users from the outside network. My problem is how to configure ASA 5510 to route the vpn IP addresses to the VPN server resides on the inside network. OpenVPN server issues IP addresses from 10.8.0.0/24 pool, the inside network from 192.168.128.0/24 pool. I did static inside route of 10.8.0.0/24 to the inside address of the OpenVPN server as a gateway, also did ACLs. VPN connection builds up, but the VPN clients did not see the inside network.
Istvan,
You will need to configure the OpenVPN server to assign addresses within subnet 192.168.128.0/24. Because clients get addresses in a different subnet (10.8.0.0) there is no routing between the VPN subnet and the inside subnet.
Hi BlogAdmin,
thanks for answering me. With a LinkSys BEFSR41 DSL router the above explained configuration works if i set up a static route from 10.8.0.0/24 to the inside IP address of the OpenVPN server as a gateway (let say 10.8.0.0 255.255.255.0 192.168.128.120 1). But anyway, if i give to VPN clients addresses from the inside pool how to route VPN clients through the OpenVPN server? I am not an expert in this question.
The Linksys router works because it allows IP redirection. However the ASA does not allow this by default except if you configure it to permit intra-interface traffic (same security permit intra intrerface). If you configure the OpenVPN server to give addresses in the range 192.168.128.0 then there is no need to configure any routes since both the VPN clients and the internal hosts will be in the same network subnet.