Allowing Microsoft PPTP through Cisco ASA

"Sponsored Links"

The Microsoft Point to Point Tunneling Protocol (PPTP) is used to create a Virtual Private Network (VPN) between a PPTP client and server. It is used for remote access from mobile users to connect back to their corporate network over the Internet. A PPTP client connects and authenticates to the PPTP server which assigns an IP address to the client and attaches the remote user to the network. After that, the remote user has full network connectivity just like being connected locally.

In the older PIX version 6.x, you could configure the PIX firewall itself to work as a PPTP server, thus you didn’t even need to have a Windows PPTP server in place. With the new ASA firewall however, you cannot terminate PPTP on the ASA itself. Therefore you must have a Microsoft PPTP server in the network in order to terminate PPTP connections from clients.

PPTP uses two protocols: GRE to encapsulate PPP packets and a control channel at TCP port 1723. Any stateful firewall would have a problem with allowing PPTP protocol without any special “fixup” because of the two protocols needed for communication (GRE and TCP 1723). Cisco ASA allows you to pass PPTP traffic through with a special “inspection” mechanism which checks the control traffic (TCP 1723) in order to dynamically open also access for GRE traffic to pass through with no problems.

In this post we will see two scenarios of allowing PPTP traffic through a Cisco ASA. In the first scenario we have a PPTP client on the inside of ASA which communicates with a PPTP server on the outside zone. In the second scenario we have a PPTP client on the outside of ASA which communicates with a PPTP server on the inside.

Scenario 1: PPTP client on inside and server on outside

The first scenario above depicts a PPTP server located on the outside of the ASA (Internet) and PPTP clients on the inside. Using the “inspect” command in the global policy-map we can enable access from inside to outside for PPTP.

! enable Port Address Translation on the outside interface
ciscoasa(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
ciscoasa(config)#global (outside) 1 interface

! Add PPTP inspection to the default policy-map using the default class-map
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect pptp

Scenario 2: PPTP client on outside and server on inside

This scenario depicts a PPTP server located on the inside network. Here we must configure static NAT for the PPTP server and allow the appropriate protocols from outside (GRE, TCP 1723)

! translate the PPTP server private address 192.168.1.1 to public 50.50.50.1
ciscoasa(config)# static (inside,outside) 50.50.50.1 192.168.1.1 netmask 255.255.255.255

! allow the appropriate protocols from outside to inside
ciscoasa(config)# access-list acl-out permit gre any host 50.50.50.1
ciscoasa(config)# access-list acl-out permit tcp any host 50.50.50.1 eq 1723
ciscoasa(config)# access-group acl-out in interface outside

"Sponsored Links"

Comments

  1. Istvan says

    Hi Harris,

    i have a fairly similar situation, operating an OpenVPN server on the inside network reachable by users from the outside network. My problem is how to configure ASA 5510 to route the vpn IP addresses to the VPN server resides on the inside network. OpenVPN server issues IP addresses from 10.8.0.0/24 pool, the inside network from 192.168.128.0/24 pool. I did static inside route of 10.8.0.0/24 to the inside address of the OpenVPN server as a gateway, also did ACLs. VPN connection builds up, but the VPN clients did not see the inside network.

  2. BlogAdmin says

    Istvan,
    You will need to configure the OpenVPN server to assign addresses within subnet 192.168.128.0/24. Because clients get addresses in a different subnet (10.8.0.0) there is no routing between the VPN subnet and the inside subnet.

  3. Istvan says

    Hi BlogAdmin,

    thanks for answering me. With a LinkSys BEFSR41 DSL router the above explained configuration works if i set up a static route from 10.8.0.0/24 to the inside IP address of the OpenVPN server as a gateway (let say 10.8.0.0 255.255.255.0 192.168.128.120 1). But anyway, if i give to VPN clients addresses from the inside pool how to route VPN clients through the OpenVPN server? I am not an expert in this question.

  4. BlogAdmin says

    The Linksys router works because it allows IP redirection. However the ASA does not allow this by default except if you configure it to permit intra-interface traffic (same security permit intra intrerface). If you configure the OpenVPN server to give addresses in the range 192.168.128.0 then there is no need to configure any routes since both the VPN clients and the internal hosts will be in the same network subnet.

  5. agung says

    Hi Harris,

    I have configured PPTP client on outside and server on inside same with scenario 2 above, but i got problem with allowing microsoft PPTP in cisco asa 5505 8.3(1).

    Can you please give the right input configuration for this version. Thanks

  6. BlogAdmin says

    For ASA 8.3 and later, the NAT and access list commands have changed.

    Static NAT:

    ciscoasa(config)# object network rdp_server_static
    ciscoasa(config-network-object)# host 192.168.1.1
    ciscoasa(config-network-object)# nat (inside , outside) static 50.50.50.1

    Access List:
    ciscoasa(config)# access-list acl-out permit gre any host 192.168.1.1
    ciscoasa(config)# access-list acl-out permit tcp any host 192.168.1.1 eq 1723
    ciscoasa(config)# access-group acl-out in interface outside

  7. agung says

    Hi Harris,

    I have input the configuration but i got this message

    ciscoasa(config-network-object)# nat (inside,outside) static 118.x.x.x
    ERROR: Address 118.x.x.x overlaps with outside interface address.
    ERROR: NAT Policy is not downloaded

  8. BlogAdmin says

    This is because you are using the ASA outside interface IP address. You need to use “nat (inside,outside) static interface“. However this will bind the whole interface address on the PPTP server. The best scenario is to have a dedicated public IP address (not the same as the outside interface of ASA) for the PPTP server.

  9. Aubrey says

    Is there a chance of getting the updated commands for 8.3?

    Thanks for the site and a great Step by Step guide.

  10. BlogAdmin says

    For outbound PPTP for 8.3, you need to change the PAT commands:

    object network internal_lan
    subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) dynamic interface

  11. Aubrey says

    Strange,

    I already have that for allowing outbound access through two of my Cisco ASA 5505’s and not able to create outbound pptp connections since implementing these security appliances.

  12. Boom3r says

    I have a ASA 5505 protecting my home network. inside DHCP from the ASA is 192.168.1.X im trying to passthrough the ASA into my work and VPN from my Windows machine. I cannot seem to get it to work. PPTP work server is 203.161.x.x I have a villina 8.4 ASA can you please help with config for PPTP passthrough?
    Regards Boom3r

  13. BlogAdmin says

    What ASA version are you running? Run the command “show ver” to see the software version of your ASA. If its version higher than 8.3 then the command above is not supported.

  14. vikinggerman says

    Thanks for you quick response. The version is 8.2. Is there alternative way to do it?

  15. vikinggerman says

    BTW, I ran the commands following:

    ! allow the appropriate protocols from outside to inside
    ciscoasa(config)# access-list acl-out permit gre any host 50.50.50.1
    ciscoasa(config)# access-list acl-out permit tcp any host 50.50.50.1 eq 1723
    ciscoasa(config)# access-group acl-out in interface outside

    But still I have error message on VPN server saying that:
    Firewall between VPN server and clients is not configured to allow GRE packets.

    Any suggestion?

    Thanks

  16. BlogAdmin says

    Your commands are correct and they should have been working. Maybe the VPN server is not using a standard GRE and PPPoE protocol?

  17. Andrew says

    Hi BlogAmin,

    thanks for the tutorial.I’ve a problem with it.

    I’ve an ASA 5110 8.0(4) released. I’m working on scenario 2.
    When i try to connect with the client, it contact the server, try to verify user and password and after 30second it reply with the message:

    Error 806: a connection between your computer and the VPN server has been established but the VPN connection cannot be completed. The most common cause for this is that there is at least one internet device between your computer and the VPN server is not configured to allow GRE protocol packets Verify that protocol 47 GRE is allowed on all personal firewall devices or routers. if the problem persists, contact your administrator.

    If i try a telnet from client to server, on 1723 port, it work.

    where i wrong?

    Thanks

  18. BlogAdmin says

    Andrew,

    In order for scenario 2 to work, you need a dedicated public IP which will be static nat to the inside server. Your problem shows that GRE does not pass from client (outside) to server inside. Only TCP port 1723 can pass from what you describe.

  19. jackmetro says

    Harris, Thanks very much for this posting. I ran the commands on our ASA and the results are perfect. Best Regards to you!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>