I'm trying to connect out from behind my PIX-515 (v6.3.5) to a client's site using PPTP. They have a Win2K3 server running RRAS, using MSCHAPv2 authentication. Their firewall (an AT&T-provided router) simply has port 1723 forwarded to the RRAS server.
When I try to connect using the WinXP built-in client, everytning goes well until "Verifying username & password..." After that, the connection times out. Does something need to be allowed through in my external ACL on my PIX to allow this authentication? Currently, the ACL only allows ICMP unreachables. I was under rthe impression that PPTP didn't require anything special on my end for a connection originating inside the firewall. I know it is not a problem with the client;s site, because I can connect no problem uysing a Sprint Air Card from my laptop, with the Windows Firewall of course On.
Any thoughts on where to look or links to relevant documentation would be appreciated. Thanks in advance.
Thanks Jon. I added the line 'permit gre any any' to the external ACL on the PIX. However, when I tried to connect, I had the same error. I have also turned off the Windows firewall so that is not the issue.
Any other ideas/places to look? Does PPTP work fine when the connection is initiated from one NAT'd box to another?
Apologies, GRE is for the data but you haven't got that far.
There are 2 ways to allow PPTP from inside to outside with ASA v7.x/8.x
1) allow GRE in acl and use a static NAT for the inside host
2) turn on PPTP inspection, in which case you don't need the GRE explicitly allowed.
Have a look at this link which covers both ways with config details -