Allow PPTP Through Cisco ASA

Posted on in Networking

Speeding through the tunnelBy default Point-to-Point Tunneling Protocol (PPTP) will now work properly through a Cisco Adaptive Security Appliance (ASA) firewall or it's forerunner the Cisco <acronym title="Private Internet EXchange">PIX</acronym>.

Prior to PIX software version 6.3, allowing PPTP to work through a PIX was a painful procedure involving static NAT and a GRE hole through the firewall. Not only is this an ugly solution, but it doesn't allow for much variability in terms of multiple PPTP users, etc.

PIX 6.3 added the following command that made everything work like a charm.

fixup protocol pptp 1723

As of ASA 7.2(3), this command still works, although it doesn't really conform to Cisco's current way of doing things: the Modular Policy Framework.

This is a translation of the fixup command as it appears in MPF commands.

class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect pptp 
service-policy global_policy global

This is the default configuration. You should of course use names that coincide with your own naming policy. When you're done, you will have enabled PPTP tunnels through your Cisco ASA / PIX.

My Bookshelf

Reading Now

Other Stuff