Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PIX pptp 1
- Thread starter jgillen
- Start date
-
1
- #2
We need a little more information on what is not happening and what you are trying to accomplish.
- Are you trying to connect establish a tunnel between two PIXes using PPTP?
- What do you mean by "dial up isp does connect?" How are you dialing to the ISP?
- What version of the PIX software are you running?
Jason
- Are you trying to connect establish a tunnel between two PIXes using PPTP?
- What do you mean by "dial up isp does connect?" How are you dialing to the ISP?
- What version of the PIX software are you running?
Jason
We are trying to hit a customers site. They recommend using the Microsoft vpn client to connect. When using a dial up ISP we have no problems. Using the same PC but going through the corporate network PIX it does not work.
Cisco Secure PIX Firewall Version 6.0(1)
Cisco Secure PIX Firewall Version 6.0(1)
Okay. So you are using the Windows VPN client (which is PPTP based) to connect through your PIX firewall to the client's site.
I thought I was a document on Cisco's website about configuring this scenario but I just looked again and was unable to find it. I don't remember if there was something special you need to do for this or if it was just allowing the correct protocols to pass through the firewall.
Try just allowing the correct protocols through the firewall. PPTP uses TCP port 1723 and protocol 47 (GRE). I'm not sure if it will work if you have PAT instead of true NAT. There may be other issues around NAT that prevent it from working.
One way to definitely do it is select one machine inside the firewall, give it a static IP and then setup STATIC statement on the firewall to bind this internal address to a free external one. Then you can setup the access-list and not have to worry about NAT/PAT problems.
Jason
I thought I was a document on Cisco's website about configuring this scenario but I just looked again and was unable to find it. I don't remember if there was something special you need to do for this or if it was just allowing the correct protocols to pass through the firewall.
Try just allowing the correct protocols through the firewall. PPTP uses TCP port 1723 and protocol 47 (GRE). I'm not sure if it will work if you have PAT instead of true NAT. There may be other issues around NAT that prevent it from working.
One way to definitely do it is select one machine inside the firewall, give it a static IP and then setup STATIC statement on the firewall to bind this internal address to a free external one. Then you can setup the access-list and not have to worry about NAT/PAT problems.
Jason
I just had this issue a few days ago and a call to Cisco's support revealed the problem.
NAT doesn't appear to be the problem, but PAT is. It seems that if all available NAT addresses are taken, PIX will overflow to a PAT address, which it does not allow VPN traffic to traverse.
Bluecrack's suggestion about assigning a static IP address to the machine, then a STATIC statement on the firewall, is what was suggested to me, also.
Speaker
NAT doesn't appear to be the problem, but PAT is. It seems that if all available NAT addresses are taken, PIX will overflow to a PAT address, which it does not allow VPN traffic to traverse.
Bluecrack's suggestion about assigning a static IP address to the machine, then a STATIC statement on the firewall, is what was suggested to me, also.
Speaker
- Status
Similar threads
- Locked
- Question
- Locked
- Question