Cisco Systems ASA5515K9, ASA 5500 PPTP Inspection

43-30

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter43 Configuring Inspection of Basic Internet Protocols

PPTP Inspection

You can specify multiple class or match commands in the policy map. For information about the order

of class and match commands, see the “Defining Actions in an Inspection Policy Map” section on

page 33-2.

Step6 To configure parameters that affect the inspection engine, perform the following steps:

a. To enter parameters configuration mode, enter the following command:

hostname(config-pmap)# parameters

hostname(config-pmap-p)#

b. To check for NETBIOS protocol violations, enter the following command:

hostname(config-pmap-p)# protocol-violation [action [drop-connection | reset | log]]

Where the drop-connection action closes the connection. The reset action closes the connection

and sends a TCP reset to the client. The log action sends a system log message when this policy map

matches traffic.

The following example shows how to define a NETBIOS inspection policy map.

hostname(config)# policy-map type inspect netbios netbios_map

hostname(config-pmap)# protocol-violation drop log

hostname(config)# policy-map netbios_policy

hostname(config-pmap)# class inspection_default

hostname(config-pmap-c)# inspect netbios netbios_map

PPTP Inspection

PPTP is a protocol for tunneling PPP traffic. A PPTP session is composed of one TCP channel and

usually two PPTP GRE tunnels. The TCP channel is the control channel used for negotiating and

managing the PPTP GRE tunnels. The GRE tunnels carries PPP sessions between the two hosts.

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the

GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637,

is supported.

PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP

control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC

1701, RFC 1702].

Specifically, the ASA inspects the PPTP version announcements and the outgoing call request/response

sequence. Only PPTP Version 1, as defined in RFC2637, is inspected. Further inspection on the TCP

control channel is disabled if the version announced by either side is not Version 1. In addition, the

outgoing-call request and reply sequence are tracked. Connections and xlates are dynamic allocated as

necessary to permit subsequent secondary GRE data traffic.

The PPTP inspection engine must be enabled for PPTP traffic to be translated by PAT. Additionally, PAT

is only performed for a modified version of GRE (RFC2637) and only if it is negotiated over the PPTP

TCP control channel. PAT is not performed for the unmodified version of GRE (RFC1701 and

RFC 1702).

As described in RFC 2637, the PPTP protocol is mainly used for the tunneling of PPP sessions initiated

from a modem bank PAC (PPTP Access Concentrator) to the headend PNS (PPTP Network Server).

When used this way, the PAC is the remote client and the PNS is the server.