Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

allow vpn pass thru on PIX 525 (ASA 7.2)

I do have pix firewalls deployed across my network. a sample site is attached in diagram. since i am new to pix world, with less knowledge, please advice me how to allow my users behind subnet to connect to their own corporate vpns. some of them need to connect to MS vpn - domain abc(pptp) and someone need to connect to a cisco pix vpn - domain xyz(ipsec) remote access vpn. what should be my concerns :

1. IP address allocation from other side?

2. security concerns?

how can i allow requests to multiple, multi-protocol VPNs thru my firewall?

anyone who did this similar setup, please advise me. I do have the authority to make whatever changes required in PIX, this box is still in test phase.

Awaiting your feed-back




Re: allow vpn pass thru on PIX 525 (ASA 7.2)

Hello MIC,

These are the standard ports used for IPSEC/PPTP etc:

IPSEC: please open the following on the PIX:

UDP 4500 & UDP 500 - ISAKMP/NAT-T

AH / ESP IP access

TCP 443 - SSL VPN (if any)

you can also add the sysopt commands for IPSEC on your firewall.


TCP/UDP 1723

Are there any ACL defined on the inside of the firewall? IF yes, you need to add the above, or it really doesnt matter. But the best practice anyway is to add ACl on the inside interface too !!

Also, enable split tunneling on the vpn concentrator if possible and tunnel ONLY the traffic that is required to go on the IPSEC tunnel... if you tunnel everything (which is ON by default), there are chances that any rogue packet flooding on your VPN network.. You can allocate a seperate IP pool for IPSEC VPN users and give the required permission on the VPN concentrator. This is always preferred over giving the IP pool from the same LAN network on the destination.

Hope this helps..Try this and let us know... rate replies if found useful..


New Member

Re: allow vpn pass thru on PIX 525 (ASA 7.2)

You need to do this on the Pix:

isakmp nat-traversal 10

allow outbound access on the pix:

isakmp (udp 500)

NAT-T (udp 4500)

ESP (proto 50)


PPTP (tcp 1723)

The GRE and PPTP is for Microsoft VPN remote

access VPN. You do NOT need AH because

you have NAT device in between. AH will NOT

work anyway. It is not needed. You tried

this in the CCIE security lab and you will



CCIE Security

New Member

Re: allow vpn pass thru on PIX 525 (ASA 7.2)

One more thing, if you are running pix 6.x code,

you will need to do this:

fixup protocol pptp 1723

or microsoft VPN will not through the pix.


New Member

Re: allow vpn pass thru on PIX 525 (ASA 7.2)


is there any step-by-step config guide i can work on my firewall. BTW, i do not have any support from the other side vpn (both MS pptp and cisco Ipsec), so 0 chance to modify on others network.

i am just investigating the chance modifying commands on my firewall allow my inside users ( subnet) to access their corporate vpn. I got a general idea from your e-mail, but stuck the actual config.

Please let me inf you can assist me with a sample config or URL