Re: How to allow MS VPN outbound on PIX 501

ciscospaz · ‎12-04-2007

I'm sure this is standard stuff, but I cant figure it out. I want to allow MS VPN connections initiated from inside to get out a PIX 501. Any help?

JORGE RODRIGUEZ · ‎12-04-2007

you need to allow through the ipsec vpn ports in firewall, udp 500 udp 4500 and protocol esp.

e.g

access-list inside permit udp any any eq 500

access-list inside permit udp any any eq 4500

access-list inside permit esp any any

access-group inside in interface inside

HTH

Jorge

rate any helpful post if it does!

Jorge Rodriguez

ciscospaz · ‎12-04-2007

Thanks Jorge,

Does this apply if it's only a PPTP connection?

JORGE RODRIGUEZ · ‎12-04-2007

This is only for Cisco VPN client, for pptp use the info and link posted by others in this thread.

Jorge

Jorge Rodriguez

kevin.jones1 · ‎12-04-2007

1) use Pix OS code 6.3(5),

2) fixup pptp protocol 1723

It will work after that.

srue · ‎12-04-2007

(it pretty much says the same thing kevinjones says)

ciscospaz · ‎12-04-2007

Kevin,

That did the trick, thanks.

Would I still need these ACL statements I tried earlier?

access-list outside_access_in permit gre any any

access-list outside_access_in permit tcp any any eq pptp

Thanks again,

kevin.jones1 · ‎12-04-2007

you do NOT need to allow anything on the

outside interface. In fact you can even do

this:

access-list ccie_security deny ip any any log

access-group ccie_security in interface outside

your pptp still works after that because

the connection is initiated from the inside

interface.

ciscospaz · ‎12-04-2007

Didn't think so, but I was grasping at anything.

Thanks for helping.