PIX 4.2(3) vs. PPTP

don.williams · ‎05-31-2001

PIX 520 Version 4.2(3). I would like to have anyone on the inside establish a Microsoft PPTP client based VPN connection to outside devices through the firewall. What configuration commands are required? Thanks.

Don Williams

lisa.hall · ‎06-05-2001

By default, the PIX is everything out, nothing in so your users should be able to connect outbound with PPTP. If it’s not working, check your PIX for access lists blocking traffic and make sure your users are picking up a valid IP address (not Port Address Translation). If your global pool has a single address, PPTP won’t work until you get more valid IP addresses.

don.williams · ‎06-05-2001

Thank you! Please answer one more: If I set up additional "real addresses" say 4 of them; does that mean that only 4 people can access the Internet through the firewall at one time? By that I mean is there a one to one correlation between the number of connections out and the number of "global" addresses? Thanks!

Don Williams

lisa.hall · ‎06-07-2001

Once an “internal” host has been given an address from the global pool, it’s his until he quits using it and then it times out (timeout xlate nn:nn:nn). So if everyone is doing PPTP, you need enough addresses for everyone. If only a few users are allowed PPTP, don’t dynamically assign them a global address. Instead, set static translations for them (make sure their machine is not using DHCP or that their DHCP lease never expires). Then everyone NOT using PPTP will grab your global (PAT) address and anyone using PPTP will be able to as long as the static is assigned.