configure cisco ASA to allow PPTP to ISA

Posted on 2008-10-21
Last Modified: 2012-05-05
iam trying to configure my ASA in order to allow vpn connection to ISA which locate in ASA inside interface using PPTP protocol

but after i configured the ASA it doesn't work and i couldn't connect to ISA using vpn connection

could any one check my ASA configuration and help

Result of the command: "sh run"

: Saved
ASA Version 7.0(7)
hostname ciscoasa
domain-name default.domain.invalid
enable password ijjo0KuMfVbkEAKw encrypted
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_access_in extended permit gre any host
access-list outside_access_in extended permit tcp any host eq

pager lines 24
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp pptp pptp netmask
static (inside,outside) udp 47 47 netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
: end
Question by:A_M_R
  • 2

Accepted Solution

leonjs earned 500 total points
ID: 22767698
If i understand you correctly . . . .
Iwant to inform you that if are doing dynamic NAT for the client behind the ASA i.e nat/global, then only one client can make PPTP connection through the ASA at one time. For this, we need to enable "inspect pptp". If you want multiple clients to be able to make PPTP connections through the ASA, then we will need as many static commands as the number of clients behind the ASA. Then, after creating the static commands, open TCP port 1723 and GRE on the inside and outside interface access-list.

Check out this link

Might be easier to setup RA on the ASA its self and then access the clients on the inside network

Author Comment

ID: 22771976
sorry iam confusing now and also the link that you attached to me iam already read it and tried but still i have some problem , so could you answer me for these questions
 1- iam trying to do a vpn connection through internet to ISA server  behind the ASA , iam trying to inspect the PPTP but it doesn't work as iam try to open a vpn connection with the ISA public ip address which is the ip of outside interface of ASA isit correct???
2- from the link that you sent me if iam trying to add a static nat
static (inside,outside) netmask while there is also a dynamic isit possible or not???

Expert Comment

ID: 22772607
To inspect PPTP do this

fw# config t
fw(config)# policy-map global_policy
fw(config-pmap)# class inspection_default
fw(config-pmap-c)# inspect pptp

Remember this though since your doing pat with the isa server

"You can only have one PPTP/L2TP connection through the ASA Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the ASA Security Appliance only maps port 0 to one host. "

You might find it easier just to setup remote access on the ASA

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSIS with VPN COnnection 2 102
Issue with Cisco 4402 and 1142 LAPs 1 23
Cisco Router Security Commands. 2 31
Syslog-ng works. Now what? How to filter and manage? 8 64
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question