How to allow MS VPN outbound on PIX 501

Unanswered Question
Dec 4th, 2007

I'm sure this is standard stuff, but I cant figure it out. I want to allow MS VPN connections initiated from inside to get out a PIX 501. Any help?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Tue, 12/04/2007 - 12:07

you need to allow through the ipsec vpn ports in firewall, udp 500 udp 4500 and protocol esp.


access-list inside permit udp any any eq 500

access-list inside permit udp any any eq 4500

access-list inside permit esp any any

access-group inside in interface inside



rate any helpful post if it does!

ciscospaz Tue, 12/04/2007 - 12:14

Thanks Jorge,

Does this apply if it's only a PPTP connection?

JORGE RODRIGUEZ Tue, 12/04/2007 - 12:37

This is only for Cisco VPN client, for pptp use the info and link posted by others in this thread.


kevin.jones1 Tue, 12/04/2007 - 12:12

1) use Pix OS code 6.3(5),

2) fixup pptp protocol 1723

It will work after that.

ciscospaz Tue, 12/04/2007 - 12:42


That did the trick, thanks.

Would I still need these ACL statements I tried earlier?

access-list outside_access_in permit gre any any

access-list outside_access_in permit tcp any any eq pptp

Thanks again,

kevin.jones1 Tue, 12/04/2007 - 16:47

you do NOT need to allow anything on the

outside interface. In fact you can even do


access-list ccie_security deny ip any any log

access-group ccie_security in interface outside

your pptp still works after that because

the connection is initiated from the inside


ciscospaz Tue, 12/04/2007 - 17:16

Didn't think so, but I was grasping at anything.

Thanks for helping.


This Discussion