Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Rules needed for outbound PPTP connection?

I'm trying to connect out from behind my PIX-515 (v6.3.5) to a client's site using PPTP.  They have a Win2K3 server running RRAS, using MSCHAPv2 authentication.  Their firewall (an AT&T-provided router) simply has port 1723 forwarded to the RRAS server.

When I try to connect using the WinXP built-in client, everytning goes well until "Verifying username & password..."  After that, the connection times out.  Does something need to be allowed through in my external ACL on my PIX to allow this authentication?  Currently, the ACL only allows ICMP unreachables.  I was under rthe impression that PPTP didn't require anything special on my end for a connection originating inside the firewall.  I know it is not a problem with the client;s site, because I can connect no problem uysing a Sprint Air Card from my laptop, with the Windows Firewall of course On.

Any thoughts on where to look or links to relevant documentation would be appreciated.  Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Rules needed for outbound PPTP connection?

cooperben wrote:

Thanks Jon.  I added the line 'permit gre any any' to the external ACL on the PIX.  However, when I tried to connect, I had the same error.  I have also turned off the Windows firewall so that is not the issue.

Any other ideas/places to look?  Does PPTP work fine when the connection is initiated from one NAT'd box to another?

Apologies, GRE is for the data but you haven't got that far.

There are 2 ways to allow PPTP from inside to outside with ASA v7.x/8.x

1) allow GRE in acl and use a static NAT for the inside host

or

2) turn on PPTP inspection, in which case you don't need the GRE explicitly allowed.

Have a look at this link which covers both ways with config details -

ASA PPTP

Jon

4 REPLIES
Hall of Fame Super Blue

Re: Rules needed for outbound PPTP connection?

cooperben wrote:

I'm trying to connect out from behind my PIX-515 (v6.3.5) to a client's site using PPTP.  They have a Win2K3 server running RRAS, using MSCHAPv2 authentication.  Their firewall (an AT&T-provided router) simply has port 1723 forwarded to the RRAS server.

When I try to connect using the WinXP built-in client, everytning goes well until "Verifying username & password..."  After that, the connection times out.  Does something need to be allowed through in my external ACL on my PIX to allow this authentication?  Currently, the ACL only allows ICMP unreachables.  I was under rthe impression that PPTP didn't require anything special on my end for a connection originating inside the firewall.  I know it is not a problem with the client;s site, because I can connect no problem uysing a Sprint Air Card from my laptop, with the Windows Firewall of course On.

Any thoughts on where to look or links to relevant documentation would be appreciated.  Thanks in advance.

PPTP uses TCP port 1723 so you don't need to allow this back in as it will be automatically allowed back in.

However with PPTP vpn connections you also need to allow GRE and GRE is not stateful so you will need to explicitly allow it back in on your outside acl.

Jon

New Member

Re: Rules needed for outbound PPTP connection?

Thanks Jon.  I added the line 'permit gre any any' to the external ACL on the PIX.  However, when I tried to connect, I had the same error.  I have also turned off the Windows firewall so that is not the issue.

Any other ideas/places to look?  Does PPTP work fine when the connection is initiated from one NAT'd box to another?

Hall of Fame Super Blue

Re: Rules needed for outbound PPTP connection?

cooperben wrote:

Thanks Jon.  I added the line 'permit gre any any' to the external ACL on the PIX.  However, when I tried to connect, I had the same error.  I have also turned off the Windows firewall so that is not the issue.

Any other ideas/places to look?  Does PPTP work fine when the connection is initiated from one NAT'd box to another?

Apologies, GRE is for the data but you haven't got that far.

There are 2 ways to allow PPTP from inside to outside with ASA v7.x/8.x

1) allow GRE in acl and use a static NAT for the inside host

or

2) turn on PPTP inspection, in which case you don't need the GRE explicitly allowed.

Have a look at this link which covers both ways with config details -

ASA PPTP

Jon

New Member

Re: Rules needed for outbound PPTP connection?

Jon,

Just adding the GRE command by itself didn't work, but once I added the 'fixup protocol pptp 1723' command, I was able to connect.

Thanks for your help!

2670
Views
0
Helpful
4
Replies