PPTP pass through on Cisco ASA 5505 (8.2)

Solution 1:

The stock ASA configuration does not include support for PPTP passthrough by default -- crazy as to why. Cisco TAC likely gets a handful of cases related to this...

There are at most three things required to get PPTP working through an ASA

If server is behind ASA

1. Configure necessary NAT/PAT if using NAT/PAT (Optional but usually required)
2. ACL permit TCP/1723 to server/IP (whether real, mapped, or interface depends on ASA version)
3. Enable PPTP inspection
   • Explicit ACL permit for GRE is not necessary

If client is behind ASA

1. Enable PPTP inspection

Server example

• ASA outside interface IP 1.1.1.2/30
• Server inside IP 10.0.0.10/24
• Static PAT (port forwarding) TCP/1723 using ASA outside interface IP

ASA 8.3 and newer (with focus on objects)

object network hst-10.0.0.10
 description Server
 host 10.0.0.10
object network hst-10.0.0.10-tcp1723
 description Server TCP/1723 Static PAT Object
 host 10.0.0.10
 nat (inside,outside) static interface service tcp 1723 1723

object-group service svcgrp-10.0.0.10 tcp
 port-object eq 1723

access-list outside_access_in extended permit tcp any object hst-10.0.0.10 object-group svcgrp-10.0.0.10-tcp
access-group outside_access_in in interface outside

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

ASA 8.2 and prior

access-list outside_access_in extended permit tcp any interface outside eq 1723

access-group outside_access_in in interface outside

static (inside,outside) tcp interface 1723 10.0.0.10 1723 netmask 255.255.255.255

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

Client example

Valid for all ASA OS versions

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

If these examples don't fit your scenario post your specifics and we can customize a config for you.