Re: For PPTP PIX 515 won't support NAPT only support NAT or Stat

snguyen · ‎10-29-2001

I am using PIX515 version 6.1.1:

From the inside interface of a remote office, we would like to connecting to our main office by using PPTP:

Problem, we have very limited public IP address each workstation from inside remote office wants to make a PPTP connection with the main office, need to have a NAT (pool of IP address) or Static IP address. This problem occures when we install the PIX515; Without PIX515 the router 2600 working fine with all inside users using PPTP and using one NAPT IP address at the router.

mkaneko · ‎11-01-2001

Can you provide us a configuration of the PIX and any debug level log to show the PIX is blocking the pptp traffic?

Thanks

snguyen · ‎11-01-2001

Thank you for your helps.

I openned the case with Cisco TAC and the TAC Engineer confirmed with me that the current PIX 6.1.1 firewall will not support NAPT for PPTP only support NAT or Static Mapping.

I did have gre, esp and ip any wide open.

Sorry I do not have the debug with me. Since this router is at the India Remote location and very difficult for me to duppicate. Thanks again.

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any any eq 22

access-list outside_access_in permit tcp any any eq domain

access-list outside_access_in permit udp any any eq domain

access-list outside_access_in permit tcp any any eq smtp

access-list outside_access_in permit tcp any any eq pop3

access-list outside_access_in permit tcp any any eq 143

access-list outside_access_in permit tcp any any eq h323

access-list outside_access_in permit udp any any eq 1645

access-list outside_access_in permit udp any any eq 1646

access-list outside_access_in permit udp any any eq 1812

access-list outside_access_in permit udp any any eq 1813

access-list outside_access_in permit udp any any eq 7000

access-list outside_access_in permit udp any any eq 7001

access-list outside_access_in permit tcp host RouterSerial 203.200.56.0 255.255.255.0

access-list outside_access_in permit udp host RouterSerial 203.200.56.0 255.255.255.0

access-list outside_access_in permit tcp Gric-Ind-Puplic 255.255.255.224 203.200.56.0 255.255.255.0

access-list outside_access_in permit udp Gric-Ind-Puplic 255.255.255.224 any

access-list outside_access_in permit icmp Gric-Ind-Puplic 255.255.255.224 any

access-list outside_access_in permit icmp Gric-Ind-Puplic 255.255.255.224 any echo-reply

access-list outside_access_in permit tcp Milpitas-149 255.255.255.224 any

access-list outside_access_in permit udp Milpitas-149 255.255.255.224 any

access-list outside_access_in permit tcp Milpitas-127 255.255.255.0 203.200.56.0 255.255.255.0

access-list outside_access_in permit udp Milpitas-127 255.255.255.0 203.200.56.0 255.255.255.0

access-list outside_access_in permit tcp Milpitas-139 255.255.255.0 203.200.56.0 255.255.255.0

access-list outside_access_in permit udp Milpitas-139 255.255.255.0 203.200.56.0 255.255.255.0

access-list outside_access_in permit tcp Milpitas-192-207 255.255.240.0 203.200.56.0 255.255.255.0

access-list outside_access_in permit udp Milpitas-192-207 255.255.240.0 203.200.56.0 255.255.255.0

access-list outside_access_in permit gre Milpitas-192-207 255.255.240.0 203.200.56.0 255.255.255.0

access-list outside_access_in permit esp Milpitas-192-207 255.255.240.0 203.200.56.0 255.255.255.0

access-list outside_access_in permit tcp host Sammy 203.200.56.0 255.255.255.0

access-list outside_access_in permit udp host Sammy 203.200.56.0 255.255.255.0

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list inside_access_in permit ip any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit gre any any

access-list inside_access_in permit esp any any

access-list inside_access_in permit icmp any Gric-Ind-Puplic 255.255.255.224

For PPTP PIX 515 won't support NAPT only support NAT or Static Mapping