PIX Design Limitation - PPTP to IPSEC routing on the same Interface

lmotzo · ‎07-21-2005

I have problem with the PIX 515(6.3.4) that does allow access using Microsoft VPN/PPTP to the outside Interface but does not allow to further access any outbound VPN/IPSEC tunnel on the same interface. I can ping all on the local networks on the Inside Interface. The most interesting - when I connect locally using VPN/PPTP to the inside interface it is all working.

Is there any pix design limitation that does not allow routing between a PPTP terminating at the outside interface to use IPSEC tunnel starting at the outside interface ? Which command can I used to work arround. I already tested all permit, static, and nat 0 combinations without success.

j.contreras · ‎07-22-2005

Hi,

By design in PIX 6.3(x) and older versions, there is a simple rule: "no traffic entering a interface is allowed to come back on the same interface". In other words, ALL traffic has to traverse the PIX in order to be sent. (related to security levels)

So, if you get into the PIX using the outside interface, you can only come out on another (i.e. inside) so no way (AFAIK) to go out towards your IPSec tunnel.

This behaviour avoids some attacks based on L2 tricks (replacing macs, etc)

In PIX 7.0 there is a command to allow communication between interfaces with the same security level, http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/vpnsysop.htm#wp1042114

It may apply to your case, altough I have not tested in your particular problem.

Regards

lmotzo · ‎07-25-2005

Thanks a lot for your simple but effective effective remarks. It helped to stop wasting time to find a non existing workarround. However I just learnd that pix 7.0.x does not support PPTP anymore. I wounder if you also have any information how to convert a XP VPN/PPTP dialup to L2TP/IPSec. The new SASDM interface is nice but does only support Cisco VPN Clients. I like to avoid to popolate all XP's with the Cisco client. There miust be a way to use. XP VP client.