By default Point-to-Point Tunneling Protocol (PPTP) will now work properly through a Cisco Adaptive Security Appliance (ASA) firewall or it's forerunner the Cisco
<acronym title="Private Internet EXchange">PIX
Prior to PIX software version 6.3, allowing PPTP to work through a PIX was a painful procedure involving static NAT and a GRE hole through the firewall. Not only is this an ugly solution, but it doesn't allow for much variability in terms of multiple PPTP users, etc.
PIX 6.3 added the following command that made everything work like a charm.
fixup protocol pptp 1723
As of ASA 7.2(3), this command still works, although it doesn't really conform to Cisco's current way of doing things: the Modular Policy Framework.
This is a translation of the
fixup command as it appears in MPF commands.
class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect pptp ! service-policy global_policy global
This is the default configuration. You should of course use names that coincide with your own naming policy. When you're done, you will have enabled PPTP tunnels through your Cisco ASA / PIX.