Re: PPTP/GRE Over PIX

ciscoforum · ‎10-02-2006

has anybody familiar with PPTP/gre?

Here is my scenario:

NT 4 inside-PIX-outside--internet

--PC

NT4 has PPTP server(MS built in) running inside the pIX. PCs over the internet are able to establish GRE tunnel. We allow PPTP/GRE port/protocol open from any to the PPTP server on PIX. However if we try to put a pc directly on the PIX outside network to establish the gre, jsut not work. The PIX configuration has ACL open for sure to allow this PC to esatablish pptp/gre with the server.

Here is the troubleshooting I did:

1. Ping the public address of the NT 4, works.

2. telnet public 1723, works.

But gre can't establish.

I am wondering since the pc is on the same subnet as PIX outside address as well as the NT 4 public address, the tunnel target address is the NT 4 public address on the PC pptp client configuration, will FW think they are on the same network and didn't want to establish the GRE at all?

Thanks

gfullage · ‎10-02-2006

No, it shouldn't be thinking that. The PIX will grab any packets destined for the PPTP servers address and forward it on inside, assuming it has the correct static set up for it. For sanity checking, you would need the following config for this to work (example has actual server address is 10.1.1.1, global address that outside users connect to is 1.1.1.1):

static (inside,outside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255

access-list inbound permit gre any host 1.1.1.1

access-list inbound permit tcp any host 1.1.1.1 eq 1723

access-group inbound in interface outside

You can't use a port static or anything like that because GRE doesn't have a port, it HAS TO BE a one-to-one static like I have shown above.