ASA · VPN

Cisco ASA – configuring PPTP VPN

The Point-to-Point Tunnelling Protocol is a VPN implementation created by Microsoft to allow remote users access to secured networks via a PPTP server.

Two protocols are used; a TCP control channel on port 1723 and a GRE tunnel to encapsulate the PPP packets.

The ASA uses packet inspection to detect the control packets and allow the GRE tunnel to be established.

Base parameters

 !  
 object network inside_network_range  
  range 10.10.30.128 10.10.30.254  
 !  
 object network outside_network_range  
  range 10.10.10.128 10.10.10.254  
 !  

 

Scenario 1 – PPTP client connecting to remote server

pptp-client_to_remote_server

 !  
 nat (inside,outside) source dynamic inside_network_range interface  
 !  
 class-map inspection_default  
  match default-inspection-traffic  
 !  
 policy-map global_policy  
  class inspection_default  
  inspect pptp  
 !  
 service-policy global_policy global  
 !  

 

Scenario 2 – Allow remote PPTP clients to connect to internal PPTP server

Any traffic arriving on the ASA’s outside interface on port 1723 is NAT’d to ‘PPTP-server’ for processing.

pptp-remote_clients_to_internal_server

 !  
 object network PPTP-server  
  host 10.10.30.100  
 !  
 access-list outside_access_in extended permit tcp any host 10.10.30.100 eq pptp  
 !  
 object network PPTP-server  
  nat (inside,outside) static interface service tcp pptp pptp  
 !  
 access-group outside_access_in in interface outside  
 !  
 class-map inspection_default  
  match default-inspection-traffic  
 !  
 policy-map global_policy  
  class inspection_default  
  inspect pptp  
 !  
 service-policy global_policy global  
 !  
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s