02-16-2005 09:07 AM - edited 02-20-2020 11:58 PM
I am having problems getting one of my PIX firewalls to allow a PPTP connection from a machine on the inside network to a server on the outside. I have found and tried some of the things listed in the following document from the PIX examples.
http://www.cisco.com/warp/public/110/pix_pptp.pdf
My situation is slightly different in that although I am running 6.3 code but we are still using conduit statements. Can anyone tell me of what is necessary to make this work? I am doing PAT on the PIX. Also, there is a static statement for the machine on the inside that is trying to make the PPTP connection if that helps/makes a difference.
Any feedback on this would be greatly appreciated.
Justin Loucks
Solved! Go to Solution.
02-16-2005 09:19 AM
Hi Justin,
make sure you open tcp 1723 from inside to outside.. do u have any inside access list ?? conduits anyway dont matter, because the traffic is from inside to outside.. fixup protocol pptp 1723 is a very important command.. it wont normally work without this...
also make sure if the other end (where the server is hosted), allows traffic from outside to inside (either conduit or ACL) .. make sure you open 1723 tcp on the other end..
Raj
02-18-2005 08:01 AM
Do you still have problems ?
If yes the problem could be that GRE is dropped on the outside interface.
To test that use:
#sysopt will ignore the Acceess-lists and lets the protocol let trough:
sysopt connection permit-pptp
Access-list example:
# Access List for Dynamic VPN Users if the client connect from a fixed IP, then restrict the source IP.
access-list acs-outside permit tcp any host PPTP-Public eq pptp
access-list acs-outside permit gre any host PPTP-Public
access-group acs-outside in interface outside
02-16-2005 09:19 AM
Hi Justin,
make sure you open tcp 1723 from inside to outside.. do u have any inside access list ?? conduits anyway dont matter, because the traffic is from inside to outside.. fixup protocol pptp 1723 is a very important command.. it wont normally work without this...
also make sure if the other end (where the server is hosted), allows traffic from outside to inside (either conduit or ACL) .. make sure you open 1723 tcp on the other end..
Raj
02-18-2005 06:21 AM
I did add the 'fixup protocol pptp 1723' line to my config after reading the Cisco doc. I still am not getting out. I have placed a machine in front of the firewall for a minute to make sure the PPTP server we are trying to connect to is setup correctly and I was able to connect so it is definately something with my PIX. I have no access lists in place on this firewall. Are you suggesting that I do need one to get out? Here is some info as to what I have in-place for the interfaces in question. The server I'm trying to get out is on DMZ4.
nameif ethernet0 outside security0
nameif ethernet4 dmz4 security40
fixup protocol pptp 1723
name 1.1.1.5 Server5
ip address outside 1.1.1.2 255.255.255.240
ip address dmz4 10.10.40.1 255.255.255.0
global (outside) 1 1.1.1.3
nat (dmz4) 1 0.0.0.0 0.0.0.0 0 0
static (dmz4,outside) Server5 10.10.40.5 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
02-17-2005 06:45 PM
you will probably also want this line in your config:
fixup protocol pptp 1723
02-18-2005 08:01 AM
Do you still have problems ?
If yes the problem could be that GRE is dropped on the outside interface.
To test that use:
#sysopt will ignore the Acceess-lists and lets the protocol let trough:
sysopt connection permit-pptp
Access-list example:
# Access List for Dynamic VPN Users if the client connect from a fixed IP, then restrict the source IP.
access-list acs-outside permit tcp any host PPTP-Public eq pptp
access-list acs-outside permit gre any host PPTP-Public
access-group acs-outside in interface outside
02-18-2005 09:33 AM
Thank you.
Adding the 'sysopt connection permit-pptp' did the trick. I may convert the PIX to Access lists soon so that example is helpful as well.
Justin Loucks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide