enabled PPTP vpn from behind PIX firewall 1

[shakamon]

I would like to establish a PPTP VPN from behind a Pix firewall ver 6.3 to a Windows 2003 RAS server. The pix uses DHCP for the WAN int.

I have enabled 1723 and 47 with a static statement and an access list. Re-applied the access group. I am not sure what I am missing. If you notice my config, my ftp and 8080 work great. The PPTP source is on a system is running on the inside network. I set up PPTP in my object group. Do I need UDP too? I am pretty sure my static statement is wrong, but cannot find the correct syntax. Here is that attempt:


access-list outside_access_in permit tcp any any eq 1723
access-list outside_access_in permit gre any any

static (inside,outside) tcp interface 1723 10.1.10.x 1723 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 47 10.1.10.x 47 netmask 255.255.255.255 0 0


"Only the dead fish follow the stream"

 

[KiscoKid]

What version of PIX software are you using? You should just need to add pptp fixup or inspection for newer versions of PIX OS. Here's a link that may help:

http://www.cisco.com/warp/public/110/pix_pptp.html

 

[shakamon]

I am on 6.3 on an older PIX 520.

I am getting thru to the RAS server, but something is stopping the return communication to complete the PPTP VPN.

It drops after it says verifying username and password. Then there is a message that the remote host disconnected, or to that effect.

I will try that article tonite and let you know how it goes.

Shaka

"Only the dead fish follow the stream"

 

[shakamon]

That article worked! I will toss ya some stars!

here are the statements for a pix using DHCP and PAT

a couple little differences from the article.

fixup protocol pptp 1723
access-list outside_access_in permit tcp any any eq pptp
access-list outside_access_in permit gre any any
static (inside,outside) tcp interface 47 10.1.10.100 47 netmask 255.255.255.255 0 0

"Only the dead fish follow the stream"