https://community.cisco.com/t5/network-security/pptp-gre-over-pix/m-p/639121#M497216 <P>has anybody familiar with PPTP/gre? </P><P>Here is my scenario:</P><P></P><P>NT 4 inside-PIX-outside--internet</P><P> --PC</P><P>NT4 has PPTP server(MS built in) running inside the pIX. PCs over the internet are able to establish GRE tunnel. We allow PPTP/GRE port/protocol open from any to the PPTP server on PIX. However if we try to put a pc directly on the PIX outside network to establish the gre, jsut not work. The PIX configuration has ACL open for sure to allow this PC to esatablish pptp/gre with the server. </P><P>Here is the troubleshooting I did:</P><P>1. Ping the public address of the NT 4, works.</P><P>2. telnet public 1723, works.</P><P></P><P>But gre can't establish.</P><P></P><P>I am wondering since the pc is on the same subnet as PIX outside address as well as the NT 4 public address, the tunnel target address is the NT 4 public address on the PC pptp client configuration, will FW think they are on the same network and didn't want to establish the GRE at all?</P><P></P><P>Thanks</P> Fri, 21 Feb 2020 09:12:34 GMT ciscoforum 2020-02-21T09:12:34Z https://community.cisco.com/t5/network-security/pptp-gre-over-pix/m-p/639121#M497216 <P>has anybody familiar with PPTP/gre? </P><P>Here is my scenario:</P><P></P><P>NT 4 inside-PIX-outside--internet</P><P> --PC</P><P>NT4 has PPTP server(MS built in) running inside the pIX. PCs over the internet are able to establish GRE tunnel. We allow PPTP/GRE port/protocol open from any to the PPTP server on PIX. However if we try to put a pc directly on the PIX outside network to establish the gre, jsut not work. The PIX configuration has ACL open for sure to allow this PC to esatablish pptp/gre with the server. </P><P>Here is the troubleshooting I did:</P><P>1. Ping the public address of the NT 4, works.</P><P>2. telnet public 1723, works.</P><P></P><P>But gre can't establish.</P><P></P><P>I am wondering since the pc is on the same subnet as PIX outside address as well as the NT 4 public address, the tunnel target address is the NT 4 public address on the PC pptp client configuration, will FW think they are on the same network and didn't want to establish the GRE at all?</P><P></P><P>Thanks</P> Fri, 21 Feb 2020 09:12:34 GMT https://community.cisco.com/t5/network-security/pptp-gre-over-pix/m-p/639121#M497216 ciscoforum 2020-02-21T09:12:34Z https://community.cisco.com/t5/network-security/pptp-gre-over-pix/m-p/639122#M497220 <HTML><HEAD></HEAD><BODY><P>No, it shouldn't be thinking that. The PIX will grab any packets destined for the PPTP servers address and forward it on inside, assuming it has the correct static set up for it. For sanity checking, you would need the following config for this to work (example has actual server address is 10.1.1.1, global address that outside users connect to is 1.1.1.1):</P><P><B></B></P><P>static (inside,outside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255</P><P>access-list inbound permit gre any host 1.1.1.1</P><P>access-list inbound permit tcp any host 1.1.1.1 eq 1723</P><P>access-group inbound in interface outside</P><P></P><P>You can't use a port static or anything like that because GRE doesn't have a port, it HAS TO BE a one-to-one static like I have shown above.</P></BODY></HTML> Tue, 03 Oct 2006 00:17:29 GMT https://community.cisco.com/t5/network-security/pptp-gre-over-pix/m-p/639122#M497220 gfullage 2006-10-03T00:17:29Z