PPTP traffic cannot pass through pix 525 7.0(7)

Unanswered Question
May 7th, 2008

first:

i read cisco document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#new

pptp client is in inside,

pptp server is in outside.

when i donot use firewall, the pptp connection can establish successfully.

but use pix 525 7.0(7)

i config:

inspect pptp.

pptp connection cannot setup.

show connection in pix:

pptp tcp 1723 is ok.

gre connection only one "E" flag, E means 'outside back connection'.

i try second method:

delete 'inspect pptp',

permit tcp 1723 and gre traffic from outside to inside, and i have config static nat,

but the pptp connection cannot work too.

so i think there is a pptp bug exist in pix 7.0(7).

can you help me about the question?

thanks a lot.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Tue, 05/13/2008 - 06:04

You can only have one PPTP/L2TP connection through the PIX Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the PIX Security Appliance only maps port 0 to one host.

refer the following url for pptp configration and troubleshooting on PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml#tshoot

xh_liu Tue, 05/13/2008 - 16:44

i donot need config pptp client or server on pix,

i just want pptp traffic pass through pix firewall.

damoy Tue, 01/20/2009 - 12:54

I had the same issue. When I put in the inspect pptp command, I got the same results as you did. FWIW - I entered the old "fixup protocol pptp 1723" (which is just supposed to add the "inspect pptp", right?). Now all of a sudden it's working. Only difference is I'm running 8.03 code.

Rafael Trujilho Mon, 07/11/2011 - 07:04

I have the same environment of "xl_liu", follows information:

  • Firewall
    • Cisco PIX 525 - PIX/IOS v7.2(4)
  • Topology
    • CLIENT (INSIDE) |----------| PIX |----------| Server PPTP (OUTSIDE)
  • Configuration
    • Rules
      • access-list inside_access_in permit gre host host

      • access-list inside_access_in permit tcp host host eq 1723

      • access-group inside_access_in in interface INSIDE

    • Inspection
      • policy-map global_policy

                         class inspection_default

                           inspect pptp

The unique solution in case above is PIX/OS upgrade?

Thanks for colaboration!

Actions

This Discussion