PPTP traffic cannot pass through pix 525 7.0(7)

Unanswered Question
May 7th, 2008
User Badges:


i read cisco document:


pptp client is in inside,

pptp server is in outside.

when i donot use firewall, the pptp connection can establish successfully.

but use pix 525 7.0(7)

i config:

inspect pptp.

pptp connection cannot setup.

show connection in pix:

pptp tcp 1723 is ok.

gre connection only one "E" flag, E means 'outside back connection'.

i try second method:

delete 'inspect pptp',

permit tcp 1723 and gre traffic from outside to inside, and i have config static nat,

but the pptp connection cannot work too.

so i think there is a pptp bug exist in pix 7.0(7).

can you help me about the question?

thanks a lot.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smahbub Tue, 05/13/2008 - 06:04
User Badges:
  • Silver, 250 points or more

You can only have one PPTP/L2TP connection through the PIX Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the PIX Security Appliance only maps port 0 to one host.

refer the following url for pptp configration and troubleshooting on PIX


xh_liu Tue, 05/13/2008 - 16:44
User Badges:

i donot need config pptp client or server on pix,

i just want pptp traffic pass through pix firewall.

damoy Tue, 01/20/2009 - 12:54
User Badges:

I had the same issue. When I put in the inspect pptp command, I got the same results as you did. FWIW - I entered the old "fixup protocol pptp 1723" (which is just supposed to add the "inspect pptp", right?). Now all of a sudden it's working. Only difference is I'm running 8.03 code.

Rafael Trujilho Mon, 07/11/2011 - 07:04
User Badges:

I have the same environment of "xl_liu", follows information:

  • Firewall
    • Cisco PIX 525 - PIX/IOS v7.2(4)
  • Topology
    • CLIENT (INSIDE) |----------| PIX |----------| Server PPTP (OUTSIDE)
  • Configuration
    • Rules
      • access-list inside_access_in permit gre host host

      • access-list inside_access_in permit tcp host host eq 1723

      • access-group inside_access_in in interface INSIDE

    • Inspection
      • policy-map global_policy

                         class inspection_default

                           inspect pptp

The unique solution in case above is PIX/OS upgrade?

Thanks for colaboration!


This Discussion