Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3921
Views
0
Helpful
4
Replies

Rules needed for outbound PPTP connection?

Go to solution
cooperben
Level 1
Level 1

‎02-02-2010 11:34 AM - edited ‎03-11-2019 10:04 AM

I'm trying to connect out from behind my PIX-515 (v6.3.5) to a client's site using PPTP.  They have a Win2K3 server running RRAS, using MSCHAPv2 authentication.  Their firewall (an AT&T-provided router) simply has port 1723 forwarded to the RRAS server.

When I try to connect using the WinXP built-in client, everytning goes well until "Verifying username & password..."  After that, the connection times out.  Does something need to be allowed through in my external ACL on my PIX to allow this authentication?  Currently, the ACL only allows ICMP unreachables.  I was under rthe impression that PPTP didn't require anything special on my end for a connection originating inside the firewall.  I know it is not a problem with the client;s site, because I can connect no problem uysing a Sprint Air Card from my laptop, with the Windows Firewall of course On.

Any thoughts on where to look or links to relevant documentation would be appreciated.  Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to cooperben

‎02-02-2010 01:14 PM 

cooperben wrote:
Thanks Jon.  I added the line 'permit gre any any' to the external ACL on the PIX.  However, when I tried to connect, I had the same error.  I have also turned off the Windows firewall so that is not the issue.
Any other ideas/places to look?  Does PPTP work fine when the connection is initiated from one NAT'd box to another?

Apologies, GRE is for the data but you haven't got that far.

There are 2 ways to allow PPTP from inside to outside with ASA v7.x/8.x

1) allow GRE in acl and use a static NAT for the inside host

or

2) turn on PPTP inspection, in which case you don't need the GRE explicitly allowed.

Have a look at this link which covers both ways with config details -

ASA PPTP

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-02-2010 12:50 PM 

cooperben wrote:
I'm trying to connect out from behind my PIX-515 (v6.3.5) to a client's site using PPTP.  They have a Win2K3 server running RRAS, using MSCHAPv2 authentication.  Their firewall (an AT&T-provided router) simply has port 1723 forwarded to the RRAS server.
When I try to connect using the WinXP built-in client, everytning goes well until "Verifying username & password..."  After that, the connection times out.  Does something need to be allowed through in my external ACL on my PIX to allow this authentication?  Currently, the ACL only allows ICMP unreachables.  I was under rthe impression that PPTP didn't require anything special on my end for a connection originating inside the firewall.  I know it is not a problem with the client;s site, because I can connect no problem uysing a Sprint Air Card from my laptop, with the Windows Firewall of course On. 
Any thoughts on where to look or links to relevant documentation would be appreciated.  Thanks in advance.

PPTP uses TCP port 1723 so you don't need to allow this back in as it will be automatically allowed back in.

However with PPTP vpn connections you also need to allow GRE and GRE is not stateful so you will need to explicitly allow it back in on your outside acl.

Jon

0 Helpful

Go to solution
cooperben
Level 1
Level 1
In response to Jon Marshall

‎02-02-2010 01:01 PM

Thanks Jon.  I added the line 'permit gre any any' to the external ACL on the PIX.  However, when I tried to connect, I had the same error.  I have also turned off the Windows firewall so that is not the issue.

Any other ideas/places to look?  Does PPTP work fine when the connection is initiated from one NAT'd box to another?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to cooperben

‎02-02-2010 01:14 PM 

cooperben wrote:
Thanks Jon.  I added the line 'permit gre any any' to the external ACL on the PIX.  However, when I tried to connect, I had the same error.  I have also turned off the Windows firewall so that is not the issue.
Any other ideas/places to look?  Does PPTP work fine when the connection is initiated from one NAT'd box to another?

Apologies, GRE is for the data but you haven't got that far.

There are 2 ways to allow PPTP from inside to outside with ASA v7.x/8.x

1) allow GRE in acl and use a static NAT for the inside host

or

2) turn on PPTP inspection, in which case you don't need the GRE explicitly allowed.

Have a look at this link which covers both ways with config details -

ASA PPTP

Jon

0 Helpful

Go to solution
cooperben
Level 1
Level 1
In response to Jon Marshall

‎02-02-2010 01:33 PM

Jon,

Just adding the GRE command by itself didn't work, but once I added the 'fixup protocol pptp 1723' command, I was able to connect.

Thanks for your help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card