PPTP Pass Thru 1

[CripTiK]

I have internal systems that need to connect to an ISA box in a remote office. What I need to know is how can I allow a whole subnet to be allowed to connect?

access-list acl-out permit gre host xxx.xxx.xxx.169 host xxx.xxx.xxx.78
access-list acl-out permit gre host xxx.xxx.xxx.219 host xxx.xxx.xxx.78
static (inside,outside) xxx.xxx.xxx.78 192.168.0.128 netmask 255.255.255.255 0 0
access-group acl-out in interface outside

When I have this in I can Pass PPTP thru the PIX to either site...how can I allow a subnet to do this?

 

[yizhar]

HI.

This will not work with PAT, so you will need a bunch of registered ip addresses that you map using NAT or STATIC to that subnet.

Another option is to set up an internal W2K server with RRAS as PPTP gateway/proxy - only the server will do PPTP to the remote ISA server and will act as a virtual router for other clients. This can be done also with some other devices but not with the pix.

And another option is to set up a VPN between the PIX and the remote ISA server - I've never done that but it should be possible if you have cooperation from the other side.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar