Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
354
Views
4
Helpful
2
Replies

PIX Design Limitation - PPTP to IPSEC routing on the same Interface

lmotzo
Level 1
Level 1

‎07-21-2005 05:47 AM - edited ‎02-21-2020 01:52 PM

I have problem with the PIX 515(6.3.4) that does allow access using Microsoft VPN/PPTP to the outside Interface but does not allow to further access any outbound VPN/IPSEC tunnel on the same interface. I can ping all on the local networks on the Inside Interface. The most interesting - when I connect locally using VPN/PPTP to the inside interface it is all working.

Is there any pix design limitation that does not allow routing between a PPTP terminating at the outside interface to use IPSEC tunnel starting at the outside interface ? Which command can I used to work arround. I already tested all permit, static, and nat 0 combinations without success.

Labels:
0 Helpful
2 Replies 2

j.contreras
Level 1
Level 1

‎07-22-2005 01:39 AM

Hi,

By design in PIX 6.3(x) and older versions, there is a simple rule: "no traffic entering a interface is allowed to come back on the same interface". In other words, ALL traffic has to traverse the PIX in order to be sent. (related to security levels)

So, if you get into the PIX using the outside interface, you can only come out on another (i.e. inside) so no way (AFAIK) to go out towards your IPSec tunnel.

This behaviour avoids some attacks based on L2 tricks (replacing macs, etc)

In PIX 7.0 there is a command to allow communication between interfaces with the same security level, http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/vpnsysop.htm#wp1042114

It may apply to your case, altough I have not tested in your particular problem.

Regards

lmotzo
Level 1
Level 1

‎07-25-2005 05:52 AM

Thanks a lot for your simple but effective effective remarks. It helped to stop wasting time to find a non existing workarround. However I just learnd that pix 7.0.x does not support PPTP anymore. I wounder if you also have any information how to convert a XP VPN/PPTP dialup to L2TP/IPSec. The new SASDM interface is nice but does only support Cisco VPN Clients. I like to avoid to popolate all XP's with the Cisco client. There miust be a way to use. XP VP client.

0 Helpful
Customers Also Viewed These Support Documents