We are trying to work out why a user is unable to connect to a pptp vpn server through our firewall.
They are on a NAT network going through our PIX and then to their Windows 2003 VPN server, now this works fine from an normal un-NAT network but not from a NAT network?
Pptp ports are open, GRE is enabled and working, it looks like I need nat-t enabled on my pix?
The setup is:
Client -> NAT(PIX)->PIX->VPN(PPTP)
Where our PIX firewall has 7 VLANS on it 3 of which are NAT's it runs itself, the other none NAT VLANS work fine for a VPN connection.
Now how do I turn NAT-T on our PIX? It's a 525 with v 7.x running on it?
Anyone got a quick fix for this issue?
Is the connection getting NATed or PATed? ie: is it a one-to-one translation or a many-to-one?
If it is getting PATed, you need to enable pptp inspection. If it is getting NATed only, then you just need to permit the traffic with your ACL (for inbound PPTP sessions that is TCP/1723 and GRE).