configure cisco ASA to allow PPTP to ISA

Posted on 2008-10-21
Medium Priority
Last Modified: 2012-05-05
iam trying to configure my ASA in order to allow vpn connection to ISA which locate in ASA inside interface using PPTP protocol

but after i configured the ASA it doesn't work and i couldn't connect to ISA using vpn connection

could any one check my ASA configuration and help

Result of the command: "sh run"

: Saved
ASA Version 7.0(7)
hostname ciscoasa
domain-name default.domain.invalid
enable password ijjo0KuMfVbkEAKw encrypted
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_access_in extended permit gre any host
access-list outside_access_in extended permit tcp any host eq

pager lines 24
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp pptp pptp netmask
static (inside,outside) udp 47 47 netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
: end
Question by:A_M_R
  • 2

Accepted Solution

leonjs earned 1000 total points
ID: 22767698
If i understand you correctly . . . .
Iwant to inform you that if are doing dynamic NAT for the client behind the ASA i.e nat/global, then only one client can make PPTP connection through the ASA at one time. For this, we need to enable "inspect pptp". If you want multiple clients to be able to make PPTP connections through the ASA, then we will need as many static commands as the number of clients behind the ASA. Then, after creating the static commands, open TCP port 1723 and GRE on the inside and outside interface access-list.

Check out this link

Might be easier to setup RA on the ASA its self and then access the clients on the inside network

Author Comment

ID: 22771976
sorry iam confusing now and also the link that you attached to me iam already read it and tried but still i have some problem , so could you answer me for these questions
 1- iam trying to do a vpn connection through internet to ISA server  behind the ASA , iam trying to inspect the PPTP but it doesn't work as iam try to open a vpn connection with the ISA public ip address which is the ip of outside interface of ASA isit correct???
2- from the link that you sent me if iam trying to add a static nat
static (inside,outside) netmask while there is also a dynamic isit possible or not???

Expert Comment

ID: 22772607
To inspect PPTP do this

fw# config t
fw(config)# policy-map global_policy
fw(config-pmap)# class inspection_default
fw(config-pmap-c)# inspect pptp

Remember this though since your doing pat with the isa server

"You can only have one PPTP/L2TP connection through the ASA Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the ASA Security Appliance only maps port 0 to one host. "

You might find it easier just to setup remote access on the ASA

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month9 days, 6 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question