PIX 501 PPTP Help?

Unanswered Question
Aug 8th, 2007

I'm just trying to allow pptp (1723) from an outside network to access the servers behind the pix that I have installed. I know it is a simple access-list... any help?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jon Marshall Wed, 08/08/2007 - 15:39


object-group network pptp_servers

network-object host "server1 ip address"

network-object host "server2 ip address"


access-list acl_inbound permit tcp "outside net" "net mask" object-group pptp_servers eq 1723

access-list acl_inbound permit gre "outside net" "net mask" object-group pptp_servers

access-group acl_inbound in interface outside

Note for PPTP you need to allow GRE as well so i have included that in access-list. You will need to add any other access you need to the access-list as there is an implict deny at the end of an access-list.

One last thing. GRE is not stateful so if you have an access-list applied to your inside interface where your servers are you will need to allow GRE back out through the firewall.



homeboarder8 Wed, 08/08/2007 - 16:26

Hey thanks for the reply... I was just a little confused as to what "server1 ip address" should I use? The internal or external?

Thanks for your help!


This Discussion