The Point-to-Point Tunnelling Protocol is a VPN implementation created by Microsoft to allow remote users access to secured networks via a PPTP server.
Two protocols are used; a TCP control channel on port 1723 and a GRE tunnel to encapsulate the PPP packets.
The ASA uses packet inspection to detect the control packets and allow the GRE tunnel to be established.
Base parameters
!
object network inside_network_range
range 10.10.30.128 10.10.30.254
!
object network outside_network_range
range 10.10.10.128 10.10.10.254
!
Scenario 1 – PPTP client connecting to remote server
!
nat (inside,outside) source dynamic inside_network_range interface
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect pptp
!
service-policy global_policy global
!
Scenario 2 – Allow remote PPTP clients to connect to internal PPTP server
Any traffic arriving on the ASA’s outside interface on port 1723 is NAT’d to ‘PPTP-server’ for processing.
!
object network PPTP-server
host 10.10.30.100
!
access-list outside_access_in extended permit tcp any host 10.10.30.100 eq pptp
!
object network PPTP-server
nat (inside,outside) static interface service tcp pptp pptp
!
access-group outside_access_in in interface outside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect pptp
!
service-policy global_policy global
!
Leave a Reply