Re: PPTP thru PIX 6.3(4)

davidculp · ‎09-28-2005

I am trying to allow an internal user

to access an external PPTP server thru

our PIX 6.3(4). I added the needed fixup

protocol "fixup protocol pptp 1723". I am allowing the needed protocols thru and back in (currently testing with allow ip for specific hosts"). I even tried using a 1-to-1 NAT for the internal host to no avail.

Currently, the user attempts login, registers on network, and after about a minute the following msg comes back:

"Error 734: The PPP Link control protocol was terminated"

Patrick Iseli · ‎09-28-2005

You need as allready mentioned the and an access-list entry, that let pass PPTP outbound, if you have configured an access-list on the inside interface.

Try to enable globaly PPTP by using:

sysopt connection permit-ipsec

# Allow PPTP traffic to bypass conduit or access-list command statement checking.

Reset the translation table after that:

clear xlate

sincerely

Patrick

davidculp · ‎09-28-2005

Thanks for the quick reply. I still have a couple of questions.

1) Should I use the command sysopt connection permit-pptp instead ?

2) Would this be the only way to get it to work ? Bypassing the normal conduits/ACLS globally seems

to be a 'last resort' method. Would not my current

ACLS allowing all ip (in and out) to the hosts suffice ?

Thanks,

David

Patrick Iseli · ‎09-28-2005

David,

1.) Of course I meaned < sysopt connection permit-pptp >, sorry about that. I draged and droped the wrong line.

2.) No you should just be sure that the protocol GRE and PPTP = TCP 1723 is able to connect to the outside world.

The < sysopt connection permit-pptp > could be used to check if it is just an access-list problem.

sincerely

Patrick

jmia · ‎09-28-2005

David,

Here's the documentation on how to allow PPTP traffic thru the PIX:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Hope this helps,

Jay