VPN Through Pix

[cmptrguru7]

I am trying to get VPN PPTP to pass throuh the pix. I issued the following commands and the VPN worked to my internal server, but all the computers on the inside of the pix could not get out.

access-list acl-out permit tcp host x.x.x.x host x.x.x.x eq 1723

access-list acl-out permit gre host x.x.x.x host x.x.x.x

access-group acl-out in interface outside

static (inside,outside) tcp x.x.x.x 1723 y.y.y.y 1723 netmask 255.255.255.255 0 0


static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 0 0

When the last command is issued I loose all internet activity in my internal network, but the VPN works and all outside connections are allowed in. When the pix is rebooted and the command is removed internet is restored, but VPN stops.

Any ideas?

 

[boymarty24]

Your last static statement, are you using the same public ip as your global? If yes thats why you loose your internet connection.

The static has higher priority then the global command so if you use the same ip only the static machine can access the internet.

static (inside,outside) tcp x.x.x.x port y.y.y.y port netmask 255.255.255.255 0 0

With this string you can still use same ip for static and global. Just change the port numbers.

 

[cmptrguru7]

Yes I understand that and I have issued a static statement with port 1723 for the pptp traffic, but how do I allow protocol 47 through. If I do a general statement then the internet stops. If I do a TCP port statement then the internet works, but the VPN does not. Any help would be appreciated.

 

[LloydSev]

wow.. I haven't seen anything which states that the PIX allows PPTP pass-through, or IPSec pass-through for that matter...

If no one here knows, your best bet may be to contact Cisco directly.

Computer/Network Technician
CCNA

 

[cmptrguru7]

The pass-through works just fine if I issue the static statement like this:

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 0 0

The problem of course is issuing that statement cause the internet on the inside to fail. There must be a statment that I could do that allows PPTP traffic to flow in and outbound traffic to flow out. I used the following site as reference:

http://www.cisco.com/warp/public/110/pix_pptp.html

 

[LloydSev]

the only reason that works, is because it maps the inside system to the outside. I have not seen any type of static map command which is able to forward protocol 47.

Computer/Network Technician
CCNA

 

[cmptrguru7]

I have not seen one either, but the cisco site says it is possible to do what I want. It even gives the statements I need to put in, but they do not seem to work with my setup.

 

[slyride]

Have you done the fixup protocol pptp 1723 command?

 

[cmptrguru7]

I have tried that command. I get an error "bad protocol pptp". I am running PIX Version 6.2.

 

[Boyds]

Why don't you set up the pix device manager (GUI)and use that to config your vpn. It makes it so much easier.

There are check boxes in the device manager to allow pptp and ipsec pass-through.

 

[rmcnutt]

If you are tyring to connect to a MS server using pptp (gre) through the PIX, the following commands work.

access-list acl-outside permit tcp any host 209.1.1.1 eq pptp
access-list acl-outside permit gre any host 209.1.1.1

access-group acl-outside in interface outside

static (inside,outside) 209.1.1.1 [VPN server address] netmask 255.255.255.255 0 0