• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2867
  • Last Modified:

VPN/PPTP passthrough on Cisco ASA 5505

I have successfully forwarded pptp traffic to an inside server that runs Microsoft RRAS VPN service. These are the lines in my config:

access-list outside_access_in extended permit gre any host vpn.host.com
access-list outside_access_in extended permit tcp any host vpn.host.com eq pptp
static (inside,outside) vpn.host.com internal_vpn_server netmask

The server runs two services, therefore I have to make a port address translation on the third line.

However if I type this command:
static (inside,outside) tcp vpn.host.com pptp internal_vpn_server pptp netmask

This is shown in the log:
Deny inbound protocol 47 src Outside: dst Outside:vpn.host.com

Protocol 47 is GRE. If I remove PAT pptp the traffic flows successfully (like line 3 in config).
So my question is: How do I make a static NAT rule with PAT with the GRE protocol?
Is it possible?
I need to publish both pptp and tftp on the same internal server. That is why I need to make PAT. But it fails, as you can see from the log.

Hope you understand my problem.

  • 4
  • 3
1 Solution
Why you need a port static nat if you want to publish pptp and tftp on the same server. Just use your static like line 3 and edit your access-list outside to permit tftp also.
ideonitAuthor Commented:
I know how you are thinking. That would have worked. But I forgot to mention that pptp and tftp are published on two different public ip-addresses. The firewall cannot translate two different services without PAT on the same server.

Do you understand my problem better now?

did you enable a service policy specific for pptp inspection?
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

ideonitAuthor Commented:
No I did not. How do I do that? Can you please show me the command (s) to enable that policy?
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
service-policy global_policy global
ideonitAuthor Commented:
I will test this tomorrow and let you know if it worked.
ideonitAuthor Commented:
With the policy added to config (inspect pptp) the traffic flows correct through the Cisco ASA to our inside vpn-server.


Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now