Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1077
Views
0
Helpful
2
Replies

Access to outside for PPTP-users on PIX

Go to solution
grischast
Level 1
Level 1

‎12-07-2009 07:08 AM

Dear all  I have a PIX 506 running Software 6.3(5) and configured it to accept PPTP VPN connections from outside.  This works very well, PPTP users get a local IP address from the configured pool and can access inside hosts as expected.  What I want now is that PPTP users can access the internet from here just like inside hosts via dynamic NAT to the outside interface. On ASA5505 this is achieved by    same-security-traffic permit intra-interface and corresponding    nat (outside) configuration (with IPsec-VPN-Clients, not PPTP, though). On the PIX with PPTP clients I cannot achieve this result.  Is it possible somehow?  Thanks a lot for any suggestion,  Grischa

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-07-2009 07:26 AM 

grischast wrote:
Dear all  I have a PIX 506 running Software 6.3(5) and configured it to accept PPTP VPN connections from outside.  This works very well, PPTP users get a local IP address from the configured pool and can access inside hosts as expected.  What I want now is that PPTP users can access the internet from here just like inside hosts via dynamic NAT to the outside interface. On ASA5505 this is achieved by    same-security-traffic permit intra-interface and corresponding    nat (outside) configuration (with IPsec-VPN-Clients, not PPTP, though). On the PIX with PPTP clients I cannot achieve this result.  Is it possible somehow?  Thanks a lot for any suggestion,  Grischa

Grischa

Unfortunately no, you cannot do this on the pix 506 running v6.x. The reason is because the feature you need is called "hairpinning" which is enabled by using the "same-security-traffic permit intra-interface" command. But this is not available on pix v.6.x code.

It is available on pix v7.x code and onwards but unfortunately the pix 506 cannot be upgraded to v7.x code. The minimum pix model that can run v7.x code is a pix 515E.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-07-2009 07:26 AM 

grischast wrote:
Dear all  I have a PIX 506 running Software 6.3(5) and configured it to accept PPTP VPN connections from outside.  This works very well, PPTP users get a local IP address from the configured pool and can access inside hosts as expected.  What I want now is that PPTP users can access the internet from here just like inside hosts via dynamic NAT to the outside interface. On ASA5505 this is achieved by    same-security-traffic permit intra-interface and corresponding    nat (outside) configuration (with IPsec-VPN-Clients, not PPTP, though). On the PIX with PPTP clients I cannot achieve this result.  Is it possible somehow?  Thanks a lot for any suggestion,  Grischa

Grischa

Unfortunately no, you cannot do this on the pix 506 running v6.x. The reason is because the feature you need is called "hairpinning" which is enabled by using the "same-security-traffic permit intra-interface" command. But this is not available on pix v.6.x code.

It is available on pix v7.x code and onwards but unfortunately the pix 506 cannot be upgraded to v7.x code. The minimum pix model that can run v7.x code is a pix 515E.

Jon

0 Helpful

Go to solution
grischast
Level 1
Level 1
In response to Jon Marshall

‎12-07-2009 08:05 AM

Hi Jon

Thank you for the quick answer. Now I know that I must not think about this anymore.;)

Grischa

0 Helpful
Customers Also Viewed These Support Documents