Comments on: Allowing Microsoft PPTP through Cisco ASA

By: Brad

Brad — Thu, 02 Feb 2012 03:34:51 +0000

thanks for the info! this pointed me in the right direction. I did need to run one more command to apply the policy to the interface on my ASA 5505 (ver. 8.2):

service-policy pptp_policy interface outside

I found that here: http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/i2.html#wp1761500

By: BlogAdmin

BlogAdmin — Thu, 19 Jan 2012 13:50:41 +0000

Andrew,

In order for scenario 2 to work, you need a dedicated public IP which will be static nat to the inside server. Your problem shows that GRE does not pass from client (outside) to server inside. Only TCP port 1723 can pass from what you describe.

By: Andrew

Andrew — Thu, 19 Jan 2012 11:14:09 +0000

Hi BlogAmin,

thanks for the tutorial.I’ve a problem with it.

I’ve an ASA 5110 8.0(4) released. I’m working on scenario 2.
When i try to connect with the client, it contact the server, try to verify user and password and after 30second it reply with the message:

Error 806: a connection between your computer and the VPN server has been established but the VPN connection cannot be completed. The most common cause for this is that there is at least one internet device between your computer and the VPN server is not configured to allow GRE protocol packets Verify that protocol 47 GRE is allowed on all personal firewall devices or routers. if the problem persists, contact your administrator.

If i try a telnet from client to server, on 1723 port, it work.

where i wrong?

Thanks

By: BlogAdmin

BlogAdmin — Mon, 01 Aug 2011 06:55:46 +0000

Your commands are correct and they should have been working. Maybe the VPN server is not using a standard GRE and PPPoE protocol?

By: vikinggerman

vikinggerman — Fri, 29 Jul 2011 20:31:34 +0000

BTW, I ran the commands following:

! allow the appropriate protocols from outside to inside
ciscoasa(config)# access-list acl-out permit gre any host 50.50.50.1
ciscoasa(config)# access-list acl-out permit tcp any host 50.50.50.1 eq 1723
ciscoasa(config)# access-group acl-out in interface outside

But still I have error message on VPN server saying that:
Firewall between VPN server and clients is not configured to allow GRE packets.

Any suggestion?

Thanks

By: vikinggerman

vikinggerman — Fri, 29 Jul 2011 20:26:16 +0000

Thanks for you quick response. The version is 8.2. Is there alternative way to do it?

By: BlogAdmin

BlogAdmin — Fri, 29 Jul 2011 19:54:17 +0000

What ASA version are you running? Run the command “show ver” to see the software version of your ASA. If its version higher than 8.3 then the command above is not supported.

By: vikinggerman

vikinggerman — Fri, 29 Jul 2011 19:35:41 +0000

BlogAdmin:

I check out the link: http://www.tech21century.com/allowing-microsoft-pptp-through-cisco-asa/.

It would allow me to excute the following command:

ciscoasa(config)# static (inside,outside) 50.50.50.1 192.168.1.1 netmask 255.255.255.255

Could you help me with it?

Thanks.

By: BlogAdmin

BlogAdmin — Tue, 31 May 2011 16:38:50 +0000

Boom3r,

Check out the post here: http://www.tech21century.com/allowing-microsoft-pptp-through-cisco-asa/

By: Boom3r

Boom3r — Tue, 31 May 2011 06:37:19 +0000

I have a ASA 5505 protecting my home network. inside DHCP from the ASA is 192.168.1.X im trying to passthrough the ASA into my work and VPN from my Windows machine. I cannot seem to get it to work. PPTP work server is 203.161.x.x I have a villina 8.4 ASA can you please help with config for PPTP passthrough?
Regards Boom3r