Re: Directing VPN traffic through pix to RAS

khotaling · ‎04-29-2004

I am currently using windows remote access server to manage vpn connections, and want to continue to do so for the time being. My config for vpn is as follows:

access-list outside permit tcp any any eq pptp

static (inside, outside) tcp 24.97.9.11 pptp 192.168.5.10 pptp

it gets through and begins to authenticate, but then stops and times out. Can someone tell me what else needs to be done to allow vpn using microsoft RAS?

gfullage · ‎04-29-2004

PPTP uses two protocols, TCP/1723 and GRE. GRE is not a TCP/UDP based protocol, it sits right on top of IP, so you can't jsut create a port static like you have, it has to be a one-to-one static, so you'll need a second valid IP address for this to work. If 24.97.9.11 is not used for anything else then you can use it, your config will look like:

access-list outside permit tcp any host 24.97.9.11 eq pptp

access-list outside permit gre any host 24.97.9.11

static (inside, outside) 24.97.9.11 192.168.5.10

khotaling · ‎04-30-2004

If at all possible I don't want to do it using a 1-1 static.

I tried the following:

fixup protocol pptp 1723

access-list ethernet0 permit tcp any any eq pptp

access-list ethernet0 permit gre any any

static (inside, outside) tcp 24.97.9.11 pptp 192.168.5.10 pptp

This setup gets me connected. Though sometimes it takes 2 or 3 tries to connect, but it works and is fully functional as far as I can tell.

Has anyone tried this? Has it worked well for you, or did you have to change it to a 1-1 for some reason?