Can PPTP IP pool be on the same subnet of PIX's inside?

Unanswered Question
May 7th, 2007

Hi All,

For example, there is a PIX firewall with as outside interface's IP and as inside interface's IP. And this PIX is holding an PPTP configuration which enabled on outside interface. Because the PPTP clients must be assigned an IP local pool, can the IP range of this local pool be on the same subnet of the inside interface? For example, the IP pool is Is this possible? These PPTP client will only access subnet. No next hop subnet exists in PIX "inside" subnet.



Best regard

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mfreijser Tue, 05/08/2007 - 00:33

Yes, you can specify a local pool that overlaps with the inside network, but it is advisable to use another pool for the PPTP clients. That way you can differentiate more easily between the clients and the internal network. Even the use of future access-list is easier with a different subnet.

You can find more information about configuring PPTP on a Pix in the following document:

PLease rate if the post helps!



netcraftjason Tue, 05/08/2007 - 18:56

Hi Michael,

Thanks for your reply!

Can the user in IP range access the users in this IP pool? Actually, there are some IP Phone exist in network. So can these IP phones access the IP phones which in IP pool? Thank you for your help!


Best Regard

mfreijser Tue, 05/08/2007 - 23:21

They can communicate with eachother, if you set the Pix as the default gateway or if you make sure the routing in the rest of the network is in order (the last thing only applies to bigger networks with multiple 'exits' like two internetconnections).

The Pix makes sure that there will be communications between the 'virtual' pool and the real inside network :)



andrew100 Wed, 05/09/2007 - 09:00


If possible, it is sometimes advised to stay away from this. The pix has to proxy arp on behalf of all the external hosts on the inside interface and I have had issues with this on some versions of code when lots of clients are connected. If the pix is the default gateway on the LAN you're connecting to, it doesn't matter what pool you use. If it isn't, then adding a persistent route onto the servers that external users are accessing, pointing back to the pix, can sometimes be more stable.

No big deal, just something to be aware of!

Thanks :-)


netcraftjason Wed, 05/09/2007 - 17:05

Hi Andy,

Does 6.3(4) version have the issue you informed? Thanks for you help!


Best Regard


This Discussion