Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
5
Replies

Allowing PPTP connection outbound through a PIX

Go to solution
JUSTIN LOUCKS
Level 1
Level 1

‎02-16-2005 09:07 AM - edited ‎02-20-2020 11:58 PM

I am having problems getting one of my PIX firewalls to allow a PPTP connection from a machine on the inside network to a server on the outside. I have found and tried some of the things listed in the following document from the PIX examples.

http://www.cisco.com/warp/public/110/pix_pptp.pdf

My situation is slightly different in that although I am running 6.3 code but we are still using conduit statements. Can anyone tell me of what is necessary to make this work? I am doing PAT on the PIX. Also, there is a static statement for the machine on the inside that is trying to make the PPTP connection if that helps/makes a difference.

Any feedback on this would be greatly appreciated.

Justin Loucks

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
sachinraja
Level 9
Level 9

‎02-16-2005 09:19 AM

Hi Justin,

make sure you open tcp 1723 from inside to outside.. do u have any inside access list ?? conduits anyway dont matter, because the traffic is from inside to outside.. fixup protocol pptp 1723 is a very important command.. it wont normally work without this...

also make sure if the other end (where the server is hosted), allows traffic from outside to inside (either conduit or ACL) .. make sure you open 1723 tcp on the other end..

Raj

View solution in original post

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7
In response to max.power

‎02-18-2005 08:01 AM

Do you still have problems ?

If yes the problem could be that GRE is dropped on the outside interface.

To test that use:

#sysopt will ignore the Acceess-lists and lets the protocol let trough:

sysopt connection permit-pptp

Access-list example:

# Access List for Dynamic VPN Users if the client connect from a fixed IP, then restrict the source IP.

access-list acs-outside permit tcp any host PPTP-Public eq pptp

access-list acs-outside permit gre any host PPTP-Public

access-group acs-outside in interface outside

View solution in original post

0 Helpful
5 Replies 5

Go to solution
sachinraja
Level 9
Level 9

‎02-16-2005 09:19 AM

Hi Justin,

make sure you open tcp 1723 from inside to outside.. do u have any inside access list ?? conduits anyway dont matter, because the traffic is from inside to outside.. fixup protocol pptp 1723 is a very important command.. it wont normally work without this...

also make sure if the other end (where the server is hosted), allows traffic from outside to inside (either conduit or ACL) .. make sure you open 1723 tcp on the other end..

Raj

0 Helpful

Go to solution
JUSTIN LOUCKS
Level 1
Level 1
In response to sachinraja

‎02-18-2005 06:21 AM

I did add the 'fixup protocol pptp 1723' line to my config after reading the Cisco doc. I still am not getting out. I have placed a machine in front of the firewall for a minute to make sure the PPTP server we are trying to connect to is setup correctly and I was able to connect so it is definately something with my PIX. I have no access lists in place on this firewall. Are you suggesting that I do need one to get out? Here is some info as to what I have in-place for the interfaces in question. The server I'm trying to get out is on DMZ4.

nameif ethernet0 outside security0

nameif ethernet4 dmz4 security40

fixup protocol pptp 1723

name 1.1.1.5 Server5

ip address outside 1.1.1.2 255.255.255.240

ip address dmz4 10.10.40.1 255.255.255.0

global (outside) 1 1.1.1.3

nat (dmz4) 1 0.0.0.0 0.0.0.0 0 0

static (dmz4,outside) Server5 10.10.40.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

0 Helpful

Go to solution
max.power
Level 1
Level 1

‎02-17-2005 06:45 PM

you will probably also want this line in your config:

fixup protocol pptp 1723

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7
In response to max.power

‎02-18-2005 08:01 AM

Do you still have problems ?

If yes the problem could be that GRE is dropped on the outside interface.

To test that use:

#sysopt will ignore the Acceess-lists and lets the protocol let trough:

sysopt connection permit-pptp

Access-list example:

# Access List for Dynamic VPN Users if the client connect from a fixed IP, then restrict the source IP.

access-list acs-outside permit tcp any host PPTP-Public eq pptp

access-list acs-outside permit gre any host PPTP-Public

access-group acs-outside in interface outside

0 Helpful

Go to solution
JUSTIN LOUCKS
Level 1
Level 1
In response to Patrick Iseli

‎02-18-2005 09:33 AM

Thank you.

Adding the 'sysopt connection permit-pptp' did the trick. I may convert the PIX to Access lists soon so that example is helpful as well.

Justin Loucks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card