Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Allowing PPTP and L2TP through a PIX

Status
Not open for further replies.
chicocouk

chicocouk

MIS
Aug 19, 2002
331
GB
Customer of ours has a windows 2000 server, and external users who connect using the Microsoft VPN client to it. They've had a new 501 pix put in place, which obviously blocks these incoming connecions.

How do i reconfigure the PIX to allow PPTP and L2TP connections through to the server? The PIX is set up to PAT all outgoing traffic, if that's relevant (i have a sneaky suspicion it is), but they have access to a few public ip addresses, so should I be thinking about using one of their "spare" addresses, using a static to route that through to the server, rather than a static on the outside interface address?

Any links to example docs, or advice from anyone who's done it before would be great.

Thanks
 
Sort by date Sort by votes
This is what I have in my 501. Hope it helps...


access-list 101 permit tcp any interface outside eq 1723

static (inside,outside) tcp interface 1723 (your server ip)1723 netmask 255.255.255.255 0 0

Cheers

Kyu
 
Upvote 0 Downvote
For PPTP you need to open TCP port 1723 and IP protocol 47 (GRE).
L2TP uses UDP port 1701.
 
Upvote 0 Downvote
Cheers guys

Ended up using fixup protocol pptp 1723,some access control lists allowing pptp and gre to the wan and a static mapping for pptp. Seems to work.

Think i'm not letting l2tp through, but it's a quick fix till the users have a copy of the cisco vpn client software, so no big loss.

Thanks for the help.
 
Upvote 0 Downvote
Hello,

Can someone please help me with my PIX 501 configuration? I have a PIX 501 that establishes a Internet connection to my ISP via PPPoE. Therefore my outside IP address is very dynamic. I want to allow PPTP packets to pass through to my Windows 2003 VPN server 172.16.2.20. I'm using version 6.3 and the Fixup protocol pptp 1723 is enabled. Any suggestions would be greatly appreciated.

Thanks,

Andrew
 
Upvote 0 Downvote
well you need to open up ports on the outside interface allowing pptp and gre, since you're using dhcp here is how

access-list acl_out permit tcp any interface outside eq 1723
access-list acl_out permit gre any interface outside


then for your static entry do this

static (inside,outside) tcp interface 1723(inside_ip_here) 1723 netmask 255.255.255.255


hope this helps


buckweet
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
85
Russtoleum
Russtoleum
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
245
nnaarrnn
nnaarrnn
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
71
brownmab53
brownmab53
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
207
Nitta84
Nitta84

Part and Inventory Search

Sponsor

Back
Top