Cisco ASA 5505 Configuration Manual page 834

PPTP Inspection
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
PPTP Inspection
PPTP is a protocol for tunneling PPP traffic. A PPTP session is composed of one TCP channel and
usually two PPTP GRE tunnels. The TCP channel is the control channel used for negotiating and
managing the PPTP GRE tunnels. The GRE tunnels carries PPP sessions between the two hosts.
When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the
GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637,
is supported.
PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP
control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC
1701, RFC 1702].
Specifically, the adaptive security appliance inspects the PPTP version announcements and the outgoing
call request/response sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected. Further
inspection on the TCP control channel is disabled if the version announced by either side is not Version
1. In addition, the outgoing-call request and reply sequence are tracked. Connections and xlates are
dynamic allocated as necessary to permit subsequent secondary GRE data traffic.
The PPTP inspection engine must be enabled for PPTP traffic to be translated by PAT. Additionally, PAT
is only performed for a modified version of GRE (RFC2637) and only if it is negotiated over the PPTP
TCP control channel. PAT is not performed for the unmodified version of GRE (RFC 1701 and
RFC 1702).
As described in RFC 2637, the PPTP protocol is mainly used for the tunneling of PPP sessions initiated
from a modem bank PAC (PPTP Access Concentrator) to the headend PNS (PPTP Network Server).
When used this way, the PAC is the remote client and the PNS is the server.
However, when used for VPN by Windows, the interaction is inverted. The PNS is a remote single-user
PC that initiates connection to the head-end PAC to gain access to a central network.
SMTP and Extended SMTP Inspection
This section describes the IM inspection engine. This section includes the following topics:
•
Cisco ASA 5500 Series Configuration Guide using ASDM
37-50
Description—Enter the description of the NetBIOS map, up to 200 characters in length.
Check for protocol violations—Checks for protocol violations and executes specified action.
Action—Drop packet or log.
–
Log—Enable or disable.
–
Security Context
Transparent Single
• •
SMTP and ESMTP Inspection Overview, page 37-51
Chapter 37 Configuring Inspection of Basic Internet Protocols
Multiple
Context System
—
•
OL-20339-01