07-08-2003 05:14 AM - edited 03-09-2019 03:56 AM
When entering the commands to open the proper ports for PPTP VPN (1723 & 47/GRE) through the PDM on my pix 506E the gre defaults to a different IP address with a /30 attached to it. Could this be the reason why I cannot tunnel in from remote sites? If so how do I make the pix accept the proper IP address?
access-list internet permit tcp any host 2x.xxx.84.2 eq smtp
access-list internet permit tcp any host 2x.xxx.84.2 eq 1494
access-list internet permit tcp any host 2x.xxx.84.2 eq 1604
access-list internet permit udp any host 2x.xxx.84.2 eq 1604
access-list internet permit tcp any host 2x.xxx.84.2 eq 1723
access-list internet permit gre any 2x.xxx.84.0 255.255.255.252 <--defaults to
07-08-2003 10:46 PM
What do you mean "the gre defaults to a different IP address with a /30 attached to it"? Exactly what command are you entering? Can you cut/paste your command entry and the resulting configuration of the PIX (just a "sho access-list" will suffice) so we can see what's going on? What version of PIX code is this?
Are you sure you're not missing the "host" keyword in front of the IP address in the ACL (although I still don't see why it would do this)?
07-09-2003 07:11 AM
Ahhh, my bad. Was just an issue with using the PDM that it would default to a .0 after selecting GRE in the drop down box.
None of this may make sense but I think I've figured that out.
Still unable to log in via PPTP. Getting error 721 at remote desk.
Anyone familiar with this issue? I posted my config in a earlier discussion and was told it was OK so not sure where to go from here.
07-09-2003 03:48 PM
721 is I think, that the PPTP server cannot be found or you got no response. I haven't seen your earlier config but with this access-list you have defined you will need a corresponding static command, so make sure you have something like:
> static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
where x.x.x.x is the outside IP address that the PPTP clients are connecting to (this is also the address defined in your access-list), and y.y.y.y is the actual inside address of the PPTP server.
Other than that, add an access-list allowing ICMP through and can you then ping the server from the client, just to verify connectivity.
07-10-2003 06:23 AM
Will do re the Ping
here are my static routes, do I need to add one for GRE (port 47) or just for port 1723 (pptp)?
static (inside,outside) tcp 2x.xxx.84.2 smtp 10.1.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 2x.xxx.84.2 1494 10.1.0.2 1494 netmask 255.255.255.255 0 0
static (inside,outside) tcp 2x.xxx.84.2 1604 10.1.0.2 1604 netmask 255.255.255.255 0 0
static (inside,outside) udp 2x.xxx.84.2 1604 10.1.0.2 1604 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1723 10.1.0.1 1723 netmask 255.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide