configure cisco ASA to allow PPTP to ISA

Posted on 2008-10-21
Last Modified: 2012-05-05
iam trying to configure my ASA in order to allow vpn connection to ISA which locate in ASA inside interface using PPTP protocol

but after i configured the ASA it doesn't work and i couldn't connect to ISA using vpn connection

could any one check my ASA configuration and help

Result of the command: "sh run"

: Saved
ASA Version 7.0(7)
hostname ciscoasa
domain-name default.domain.invalid
enable password ijjo0KuMfVbkEAKw encrypted
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_access_in extended permit gre any host
access-list outside_access_in extended permit tcp any host eq

pager lines 24
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp pptp pptp netmask
static (inside,outside) udp 47 47 netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
: end
Question by:A_M_R
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

leonjs earned 500 total points
ID: 22767698
If i understand you correctly . . . .
Iwant to inform you that if are doing dynamic NAT for the client behind the ASA i.e nat/global, then only one client can make PPTP connection through the ASA at one time. For this, we need to enable "inspect pptp". If you want multiple clients to be able to make PPTP connections through the ASA, then we will need as many static commands as the number of clients behind the ASA. Then, after creating the static commands, open TCP port 1723 and GRE on the inside and outside interface access-list.

Check out this link

Might be easier to setup RA on the ASA its self and then access the clients on the inside network

Author Comment

ID: 22771976
sorry iam confusing now and also the link that you attached to me iam already read it and tried but still i have some problem , so could you answer me for these questions
 1- iam trying to do a vpn connection through internet to ISA server  behind the ASA , iam trying to inspect the PPTP but it doesn't work as iam try to open a vpn connection with the ISA public ip address which is the ip of outside interface of ASA isit correct???
2- from the link that you sent me if iam trying to add a static nat
static (inside,outside) netmask while there is also a dynamic isit possible or not???

Expert Comment

ID: 22772607
To inspect PPTP do this

fw# config t
fw(config)# policy-map global_policy
fw(config-pmap)# class inspection_default
fw(config-pmap-c)# inspect pptp

Remember this though since your doing pat with the isa server

"You can only have one PPTP/L2TP connection through the ASA Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the ASA Security Appliance only maps port 0 to one host. "

You might find it easier just to setup remote access on the ASA

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Factory-Resetting & Configuring Cisco Meraki MR18 Wifi Access Points 3 59
BGP DUAL ISP with IP SLA 10 67
ASA 5506 Port Forward 4 63
Copying out Cisco backups from SolarWinds 13 120
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question