Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problems with pptp passthru with PIX 501

Status
Not open for further replies.
matha

matha

MIS
Feb 8, 2004
2
US
Hi,

We recently got 3 PIX- 501's. I am trying to set it up in 3 locations all having a DSL or Cable internet facility. The pix came with 6.3(1) version. I am trying to pass thru VPN (PPTP) to the corp. office. It sometimes connects and many times it fails. I added these commands to the basic factory settings. I am not using Site-to-Site topology.

fixup protocol pptp 1723

access-list nonat permit ip 10.x.x.0 255.255.0.0 10.x.x.0 255.255.0.0

nat (inside) 0 access-list nonat
sysopt connection permit-pptp

If i remove the PIX and connect the pc to Cable modem, PPTP works fine every time. With PIX in-between there is a problem and it is not consistent.It doesn't seems to be logical. It is the same case in other locations as well. Am I missing some thing?

We have Cisco 3005 VPN concentrator in the corp office, and we never had any VPN problems.

Any help will be greatly appreciated.

Thanks
guna
 
Sort by date Sort by votes
HI.

> We recently got 3 PIX- 501's. I am trying to set it up in 3 locations all having a DSL or Cable internet facility
The cable/ADSL device might be also doing PAT which may add complexity and problems (2 NAT devices in a row: the pix and then the DSL router).


All of the following commands should be removed from your configuration. These are not needed for pass-through:
> access-list nonat permit ip 10.x.x.0 255.255.0.0 10.x.x.0 255.255.0.0
> nat (inside) 0 access-list nonat
> sysopt connection permit-pptp


Anyway, since you already have a Cisco 3005 VPN concentrator at the corp office, my suggestion is to start using Cisco IPSec VPN instead of PPTP.
This will probably eliminate the problems you have now, and can also improve security.

You setup the corp VPN server to accept Cisco VPN connection, and then choose either of the following:

Install latest version of Cisco VPN client on remote workstations.
OR:
Set up the branch pix 501 devices as "Easy VPN remote" clients that will connect to the corp server.
OR:
Set up traditioanl "site to site" VPN between branch pix 501 devices and the corp VPN server.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
266
Sameer258
Sameer258
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
76
ISDPCMAN
ISDPCMAN
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
110
hairlessupportmonkey
hairlessupportmonkey
Jimbo2015
  • Locked
  • Question
Avaya - Watch guard issue with keep alives
Replies
1
Views
89
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top