VPN/PPTP passthrough on Cisco ASA 5505

Hi!
I have successfully forwarded pptp traffic to an inside server that runs Microsoft RRAS VPN service. These are the lines in my config:

access-list outside_access_in extended permit gre any host vpn.host.com
access-list outside_access_in extended permit tcp any host vpn.host.com eq pptp
static (inside,outside) vpn.host.com internal_vpn_server netmask 255.255.255.255

The server runs two services, therefore I have to make a port address translation on the third line.

However if I type this command:
static (inside,outside) tcp vpn.host.com pptp internal_vpn_server pptp netmask 255.255.255.255

This is shown in the log:
Deny inbound protocol 47 src Outside:85.235.2.86 dst Outside:vpn.host.com

Protocol 47 is GRE. If I remove PAT pptp the traffic flows successfully (like line 3 in config).
So my question is: How do I make a static NAT rule with PAT with the GRE protocol?
Is it possible?
I need to publish both pptp and tftp on the same internal server. That is why I need to make PAT. But it fails, as you can see from the log.

Hope you understand my problem.

Thanks!!
ideonitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zwart072Commented:
Why you need a port static nat if you want to publish pptp and tftp on the same server. Just use your static like line 3 and edit your access-list outside to permit tftp also.
0
ideonitAuthor Commented:
I know how you are thinking. That would have worked. But I forgot to mention that pptp and tftp are published on two different public ip-addresses. The firewall cannot translate two different services without PAT on the same server.

Do you understand my problem better now?

Thanks!
0
zwart072Commented:
did you enable a service policy specific for pptp inspection?
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

ideonitAuthor Commented:
No I did not. How do I do that? Can you please show me the command (s) to enable that policy?
0
zwart072Commented:
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
service-policy global_policy global
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ideonitAuthor Commented:
I will test this tomorrow and let you know if it worked.
Thanks!
0
ideonitAuthor Commented:
With the policy added to config (inspect pptp) the traffic flows correct through the Cisco ASA to our inside vpn-server.

Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.