Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1058
Views
0
Helpful
5
Replies

PPTP traffic cannot pass through pix 525 7.0(7)

xh_liu
Level 1
Level 1

‎05-07-2008 03:59 PM - edited ‎03-11-2019 05:41 AM

first:

i read cisco document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#new

pptp client is in inside,

pptp server is in outside.

when i donot use firewall, the pptp connection can establish successfully.

but use pix 525 7.0(7)

i config:

inspect pptp.

pptp connection cannot setup.

show connection in pix:

pptp tcp 1723 is ok.

gre connection only one "E" flag, E means 'outside back connection'.

i try second method:

delete 'inspect pptp',

permit tcp 1723 and gre traffic from outside to inside, and i have config static nat,

but the pptp connection cannot work too.

so i think there is a pptp bug exist in pix 7.0(7).

can you help me about the question?

thanks a lot.

Labels:
0 Helpful
5 Replies 5

smahbub
Level 6
Level 6

‎05-13-2008 06:04 AM

You can only have one PPTP/L2TP connection through the PIX Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the PIX Security Appliance only maps port 0 to one host.

refer the following url for pptp configration and troubleshooting on PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml#tshoot

0 Helpful

xh_liu
Level 1
Level 1
In response to smahbub

‎05-13-2008 04:44 PM

i donot need config pptp client or server on pix,

i just want pptp traffic pass through pix firewall.

0 Helpful

damoy
Level 1
Level 1
In response to xh_liu

‎01-20-2009 12:54 PM

I had the same issue. When I put in the inspect pptp command, I got the same results as you did. FWIW - I entered the old "fixup protocol pptp 1723" (which is just supposed to add the "inspect pptp", right?). Now all of a sudden it's working. Only difference is I'm running 8.03 code.

0 Helpful

sdoremus33
Level 3
Level 3

‎01-20-2009 07:46 PM

Here is an excerpt from cisco doc

http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix707rn.html#wp252214

Features not Supported in Version 7.0

The following features are not supported in Version 7.0(7):

•PPPoE

•L2TP over IPSec

•PPTP

HTH.....

0 Helpful

Rafael Trujilho
Level 1
Level 1
In response to sdoremus33

‎07-11-2011 07:04 AM

I have the same environment of "xl_liu", follows information:

  • Firewall
    • Cisco PIX 525 - PIX/IOS v7.2(4)
  • Topology
    • CLIENT (INSIDE) |----------| PIX |----------| Server PPTP (OUTSIDE)
  • Configuration
    • Rules

      • access-list inside_access_in permit gre host host

      • access-list inside_access_in permit tcp host host eq 1723

      • access-group inside_access_in in interface INSIDE

    • Inspection

      • policy-map global_policy

                         class inspection_default

                           inspect pptp

The unique solution in case above is PIX/OS upgrade?

Thanks for colaboration!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card