Rules needed for outbound PPTP connection?

Answered Question
Feb 2nd, 2010

I'm trying to connect out from behind my PIX-515 (v6.3.5) to a client's site using PPTP.  They have a Win2K3 server running RRAS, using MSCHAPv2 authentication.  Their firewall (an AT&T-provided router) simply has port 1723 forwarded to the RRAS server.

When I try to connect using the WinXP built-in client, everytning goes well until "Verifying username & password..."  After that, the connection times out.  Does something need to be allowed through in my external ACL on my PIX to allow this authentication?  Currently, the ACL only allows ICMP unreachables.  I was under rthe impression that PPTP didn't require anything special on my end for a connection originating inside the firewall.  I know it is not a problem with the client;s site, because I can connect no problem uysing a Sprint Air Card from my laptop, with the Windows Firewall of course On.

Any thoughts on where to look or links to relevant documentation would be appreciated.  Thanks in advance.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 11 months ago

cooperben wrote:

Thanks Jon.  I added the line 'permit gre any any' to the external ACL on the PIX.  However, when I tried to connect, I had the same error.  I have also turned off the Windows firewall so that is not the issue.

Any other ideas/places to look?  Does PPTP work fine when the connection is initiated from one NAT'd box to another?

Apologies, GRE is for the data but you haven't got that far.

There are 2 ways to allow PPTP from inside to outside with ASA v7.x/8.x

1) allow GRE in acl and use a static NAT for the inside host

or

2) turn on PPTP inspection, in which case you don't need the GRE explicitly allowed.

Have a look at this link which covers both ways with config details -

ASA PPTP

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 02/02/2010 - 12:50

cooperben wrote:

I'm trying to connect out from behind my PIX-515 (v6.3.5) to a client's site using PPTP.  They have a Win2K3 server running RRAS, using MSCHAPv2 authentication.  Their firewall (an AT&T-provided router) simply has port 1723 forwarded to the RRAS server.

When I try to connect using the WinXP built-in client, everytning goes well until "Verifying username & password..."  After that, the connection times out.  Does something need to be allowed through in my external ACL on my PIX to allow this authentication?  Currently, the ACL only allows ICMP unreachables.  I was under rthe impression that PPTP didn't require anything special on my end for a connection originating inside the firewall.  I know it is not a problem with the client;s site, because I can connect no problem uysing a Sprint Air Card from my laptop, with the Windows Firewall of course On.

Any thoughts on where to look or links to relevant documentation would be appreciated.  Thanks in advance.

PPTP uses TCP port 1723 so you don't need to allow this back in as it will be automatically allowed back in.

However with PPTP vpn connections you also need to allow GRE and GRE is not stateful so you will need to explicitly allow it back in on your outside acl.

Jon

cooperben Tue, 02/02/2010 - 13:01

Thanks Jon.  I added the line 'permit gre any any' to the external ACL on the PIX.  However, when I tried to connect, I had the same error.  I have also turned off the Windows firewall so that is not the issue.

Any other ideas/places to look?  Does PPTP work fine when the connection is initiated from one NAT'd box to another?

Correct Answer
Jon Marshall Tue, 02/02/2010 - 13:14

cooperben wrote:

Thanks Jon.  I added the line 'permit gre any any' to the external ACL on the PIX.  However, when I tried to connect, I had the same error.  I have also turned off the Windows firewall so that is not the issue.

Any other ideas/places to look?  Does PPTP work fine when the connection is initiated from one NAT'd box to another?

Apologies, GRE is for the data but you haven't got that far.

There are 2 ways to allow PPTP from inside to outside with ASA v7.x/8.x

1) allow GRE in acl and use a static NAT for the inside host

or

2) turn on PPTP inspection, in which case you don't need the GRE explicitly allowed.

Have a look at this link which covers both ways with config details -

ASA PPTP

Jon

cooperben Tue, 02/02/2010 - 13:33

Jon,

Just adding the GRE command by itself didn't work, but once I added the 'fixup protocol pptp 1723' command, I was able to connect.

Thanks for your help!

Actions

This Discussion