cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
263
Views
0
Helpful
3
Replies

confusion on sample config for PPTP/GRE pass through on PIX

stevem
Level 1
Level 1

PIX 506E os 6.1(4)

Ok, I've tried a few different ways to allow my remote users to vpn in and all I really want is to allow these users to be able to get at my win2k server and let that do the authentication. So in looking at the sample config from: http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

I need to verify that the second example is what I need? If so do the remote users have to have static IPs or can I use a general ACL statement that allows all PPTP traffic through the PIX and then being prompted for auth at my server. I know it may be one more hole in the firewall but it is critical to allow these folks to vpn in. Any help is greatly appreciated.

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

If the server is on the inside and the clients are on the outside, then the 2nd example is all you need. The server needs a static IP address entry, the clients don't need anything special other than to point to this static'd IP address for the connection.

The ACL on the PIX outside interface has to allow both GRE and TCP/1723 for it to work. Other than that, you should be good to go.

OK, i'm close to comprehension ;-) but a few more quickies

1. For the acl command for the clients would I enter gre&tcp any commands instead of an assigned IP address? So essentially it would look like this?

access-list acl-out permit gre any host 2X.XXX.84.2

access-list acl-out permit tcp any host 2X.XXX.84.2 eq 1723

static (inside,outside) 2X.XXX.84.2 10.1.0.1 netmask 255.255.255.255 0 0

access-group acl-out in inteface outside

Correct. In general you won't know what the client IP addresses are going to be, so the ACL would say FROM any going TO your server. What you have looks correct.

Good luck with it.

Review Cisco Networking for a $25 gift card