cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1100
Views
0
Helpful
2
Replies

Access to outside for PPTP-users on PIX

grischast
Level 1
Level 1

Dear all  I have a PIX 506 running Software 6.3(5) and configured it to accept PPTP VPN connections from outside.  This works very well, PPTP users get a local IP address from the configured pool and can access inside hosts as expected.  What I want now is that PPTP users can access the internet from here just like inside hosts via dynamic NAT to the outside interface. On ASA5505 this is achieved by    same-security-traffic permit intra-interface and corresponding    nat (outside) configuration (with IPsec-VPN-Clients, not PPTP, though). On the PIX with PPTP clients I cannot achieve this result.  Is it possible somehow?  Thanks a lot for any suggestion,  Grischa

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

grischast wrote:

Dear all  I have a PIX 506 running Software 6.3(5) and configured it to accept PPTP VPN connections from outside.  This works very well, PPTP users get a local IP address from the configured pool and can access inside hosts as expected.  What I want now is that PPTP users can access the internet from here just like inside hosts via dynamic NAT to the outside interface. On ASA5505 this is achieved by    same-security-traffic permit intra-interface and corresponding    nat (outside) configuration (with IPsec-VPN-Clients, not PPTP, though). On the PIX with PPTP clients I cannot achieve this result.  Is it possible somehow?  Thanks a lot for any suggestion,  Grischa

Grischa

Unfortunately no, you cannot do this on the pix 506 running v6.x. The reason is because the feature you need is called "hairpinning" which is enabled by using the "same-security-traffic permit intra-interface" command. But this is not available on pix v.6.x code.

It is available on pix v7.x code and onwards but unfortunately the pix 506 cannot be upgraded to v7.x code. The minimum pix model that can run v7.x code is a pix 515E.

Jon

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

grischast wrote:

Dear all  I have a PIX 506 running Software 6.3(5) and configured it to accept PPTP VPN connections from outside.  This works very well, PPTP users get a local IP address from the configured pool and can access inside hosts as expected.  What I want now is that PPTP users can access the internet from here just like inside hosts via dynamic NAT to the outside interface. On ASA5505 this is achieved by    same-security-traffic permit intra-interface and corresponding    nat (outside) configuration (with IPsec-VPN-Clients, not PPTP, though). On the PIX with PPTP clients I cannot achieve this result.  Is it possible somehow?  Thanks a lot for any suggestion,  Grischa

Grischa

Unfortunately no, you cannot do this on the pix 506 running v6.x. The reason is because the feature you need is called "hairpinning" which is enabled by using the "same-security-traffic permit intra-interface" command. But this is not available on pix v.6.x code.

It is available on pix v7.x code and onwards but unfortunately the pix 506 cannot be upgraded to v7.x code. The minimum pix model that can run v7.x code is a pix 515E.

Jon

Hi Jon

Thank you for the quick answer. Now I know that I must not think about this anymore.;)

Grischa