configure cisco ASA to allow PPTP to ISA

Posted on 2008-10-21
Last Modified: 2012-05-05
iam trying to configure my ASA in order to allow vpn connection to ISA which locate in ASA inside interface using PPTP protocol

but after i configured the ASA it doesn't work and i couldn't connect to ISA using vpn connection

could any one check my ASA configuration and help

Result of the command: "sh run"

: Saved
ASA Version 7.0(7)
hostname ciscoasa
domain-name default.domain.invalid
enable password ijjo0KuMfVbkEAKw encrypted
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_access_in extended permit gre any host
access-list outside_access_in extended permit tcp any host eq

pager lines 24
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp pptp pptp netmask
static (inside,outside) udp 47 47 netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
: end
Question by:A_M_R
  • 2

Accepted Solution

leonjs earned 500 total points
Comment Utility
If i understand you correctly . . . .
Iwant to inform you that if are doing dynamic NAT for the client behind the ASA i.e nat/global, then only one client can make PPTP connection through the ASA at one time. For this, we need to enable "inspect pptp". If you want multiple clients to be able to make PPTP connections through the ASA, then we will need as many static commands as the number of clients behind the ASA. Then, after creating the static commands, open TCP port 1723 and GRE on the inside and outside interface access-list.

Check out this link

Might be easier to setup RA on the ASA its self and then access the clients on the inside network

Author Comment

Comment Utility
sorry iam confusing now and also the link that you attached to me iam already read it and tried but still i have some problem , so could you answer me for these questions
 1- iam trying to do a vpn connection through internet to ISA server  behind the ASA , iam trying to inspect the PPTP but it doesn't work as iam try to open a vpn connection with the ISA public ip address which is the ip of outside interface of ASA isit correct???
2- from the link that you sent me if iam trying to add a static nat
static (inside,outside) netmask while there is also a dynamic isit possible or not???

Expert Comment

Comment Utility
To inspect PPTP do this

fw# config t
fw(config)# policy-map global_policy
fw(config-pmap)# class inspection_default
fw(config-pmap-c)# inspect pptp

Remember this though since your doing pat with the isa server

"You can only have one PPTP/L2TP connection through the ASA Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the ASA Security Appliance only maps port 0 to one host. "

You might find it easier just to setup remote access on the ASA

Featured Post

NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now