https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78767#M704420 <HTML><HEAD></HEAD><BODY><P>doh! I should have kept looking. A previous post ansered this question for me I think. PAT is the issue.</P><P></P><P>Let me know if you have any ideas on a work around ...</P><P></P><P></P><P>Thanks,</P><P></P><P>Ryan</P></BODY></HTML> Thu, 04 Oct 2001 22:01:26 GMT rtober 2001-10-04T22:01:26Z https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78766#M704419 <P>I'm trying to establish a W2K pro PPTP tunnel through a PIX out to an external Multi-homed W2K server (across public internet). When I initiate the client (secure side of PIX) it contacts the external server and begins to authenticate but eventually times out. I've verified the client PPTP setup using an external dial-out account (bypassing my entire network) and it connects just fine.</P><P></P><P>My first guess is the PAT on the firewall is interfering with the W2K PPTP handshake - I know the Cisco Client allows for IPsec though NAT but I couldn't find anything like that in the W2K setup ...</P><P></P><P>Thanks,</P><P>Ryan</P> Fri, 21 Feb 2020 05:51:12 GMT https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78766#M704419 rtober 2020-02-21T05:51:12Z https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78767#M704420 <HTML><HEAD></HEAD><BODY><P>doh! I should have kept looking. A previous post ansered this question for me I think. PAT is the issue.</P><P></P><P>Let me know if you have any ideas on a work around ...</P><P></P><P></P><P>Thanks,</P><P></P><P>Ryan</P></BODY></HTML> Thu, 04 Oct 2001 22:01:26 GMT https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78767#M704420 rtober 2001-10-04T22:01:26Z https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78768#M704421 <HTML><HEAD></HEAD><BODY><P>What was the solution for your problem. I'm having the same issue </P></BODY></HTML> Mon, 08 Oct 2001 16:35:36 GMT https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78768#M704421 pag 2001-10-08T16:35:36Z https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78769#M704422 <HTML><HEAD></HEAD><BODY><P>You need to set up a conduit or access list through the firewall with a static ip address to the internal computer. The internal computer can send packets out, but the packets are blocked at the firewall from getting back in. I was told to open up ports for PPTP,(I can't remember what they were) but that didn't work. I ended up allowing TCP from host to host(from the IP address of the PC outside your network to the external(public) ip of the computer inside your network. I hope this helps, if you need more help I can post some configs.</P><P></P><P>jp</P></BODY></HTML> Mon, 08 Oct 2001 17:29:01 GMT https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78769#M704422 jpoulos 2001-10-08T17:29:01Z https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78770#M704423 <HTML><HEAD></HEAD><BODY><P>I have tried allowing pptp access, with no luck, and would realy like to see your configs. What i have done: Created static 1-to-1 Nat translation, opened tcp eq 1723 &amp; protocol 47 (gre) outbound and inbound.</P><P></P><P>static (inside,outside) 12.x.x.x 10.x.x.x netmask 255.255.255.255 </P><P>access-list allow_outbound permit gre 10.0.0.0 255.0.0.0 any </P><P>access-list allow_outbound permit tcp 10.0.0.0 255.255.0.0 any eq 1723</P><P></P><P>access-list allow_inbound permit ip any host 12.x.x.x</P><P>access-list allow_inbound permit gre any host 12.x.x.x</P><P>access-list allow_inbound permit tcp any host 12.x.x.x eq 1723</P><P></P><P>In addition, i allowed ALL outbound &amp; ALL inbound to and from any with NO luck (just for testing).</P><P></P><P>Thanks,</P><P>Mike</P><P></P><P></P></BODY></HTML> Tue, 09 Oct 2001 21:19:45 GMT https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78770#M704423 mconroy 2001-10-09T21:19:45Z https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78771#M704424 <HTML><HEAD></HEAD><BODY><P>jp,</P><P></P><P>I thought the PIX had implicit permit all for outbound connections initiated from the inside (secure leg) and automatically allowed the reply to pass back through as long as the reply packet was good. Implicit deny all is only applied to connections initiated from the outside in right?</P><P></P><P>I don't have to open up return ports for outbound http traffic, etc ...</P><P></P><P>Just wondering ...</P><P></P><P>Thanks,</P><P></P><P>Ryan</P></BODY></HTML> Thu, 18 Oct 2001 16:59:04 GMT https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78771#M704424 rtober 2001-10-18T16:59:04Z https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78772#M704425 <HTML><HEAD></HEAD><BODY><P>Well right now I'm going to forget the internal client configuration because I don't want to short-circuit our DMZ and bring a direct connection straight through. I'm going to try a Lan-to-lan connection using our 3030. I've initiated lan-to-lan with 2 PIXs using IPsec but never with PPTP to a W2K server. Should be tons-O-fun.</P></BODY></HTML> Thu, 18 Oct 2001 17:04:45 GMT https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78772#M704425 rtober 2001-10-18T17:04:45Z https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78773#M704426 <HTML><HEAD></HEAD><BODY><P>There are two ways you can do it:</P><P></P><P>The first way allows for a point to point access from a specific host to a specific host. The second way allows for VPN PPTP connections to anywhere and back, but it is a little less secure. It looks like the only difference between our configs is you don't have the permit UDP statement. Let me know if you have any questions.( the 216 in my config is the external host that we are connecting to)</P><P></P><P>JP</P><P></P><P>static (inside,outside) 237.xx.xx.1 10.xx.xx.1 netmask 255.255.255.255 0 0</P><P>access-list REMOTE permit ip host 216.xx.xx.xx host 237.xx.xx.1</P><P></P><P></P><P>static (inside,outside) 237.xx.xx.2 10.xx.xx.2 netmask 255.255.255.255 0 0</P><P>access-list REMOTE permit ip any host 237.xx.xx.2</P><P>access-list REMOTE permit udp any host 237.xx.xx.2</P><P></P></BODY></HTML> Thu, 18 Oct 2001 19:45:17 GMT https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78773#M704426 jpoulos 2001-10-18T19:45:17Z https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78774#M704427 <HTML><HEAD></HEAD><BODY><P>Try a debug packet on outside (specify W2K server as source in order to filter the traffic) in order to see what arrives on PIX port and why it's discarded.</P><P></P><P>Maurizio</P></BODY></HTML> Fri, 19 Oct 2001 12:42:41 GMT https://community.cisco.com/t5/network-security/passing-w2k-pptp-through-pix-6-0-to-external-address/m-p/78774#M704427 murriware 2001-10-19T12:42:41Z