Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn issues with windows based vpn


I am trying to connect to my office from home through a windows based VPN (win 2003 and win XP) and have issues with it. I have a PIX 506E firewall in the office and there is no firewall at home.

Can someone advise what other configuration is needed on the pix firewall to achieve this. I have opened ports 1723, 500 on pix firewall for external access and configured office pix as below

access-list 102 permit ip

ip local pool vpn-clients

nat (inside) 0 access-list 102

sysopt connection permit-pptp

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 client configuration address local vpn-clients

vpdn group 1 client authentication local

vpdn enable outside

I will be authenticating with my domain username and password.

my network - 172.16.x.x

office network - 10.10.10.x

vpn client network assigned on pix - 192.168.1.x

Your early response is appreciated.

Thanks you


New Member

Re: vpn issues with windows based vpn

Hi Venkat

You state you wish to use some sort of AAA authentication in order to authenticate against your domain credentials, but you have configured the VPN to use local client authentication without supplying it with a username and password, such as:

vpdn username cisco password cisco

The following link should get you started with enabling AAA for PPTP VPN:



New Member

Re: vpn issues with windows based vpn

Hi Kev

Thanks for your response. I guess I am making a mistake here. Actually I am just using my domain name and password to get authenticated which is through the Win 2003 SBS server. So I dont think I need

vpdn group 1 client authentication local

vpdn username cisco password cisco

(But again I tried this as well and didnt work)

But do I have to use any command for windows based authentication?

I have created a VPN connection and on properties, I have tabs as below

General - public IP of office Internet

Options - all are checked on dialing options

(display progress, prompt for name & pwd, include windows logon domain)

Security - typical

required secured password under validate my identity

automatically use my windows logon name, pwd - unchecked

require data encryption - unchecked

networking - PPTP VPN (type of VPN)

Advanced - win firewall is off

internet connection sharing - unchecked

Please advise

New Member

Re: vpn issues with windows based vpn


Having re-read your original post, I have a few further thoughts as to why it will not work. You do not need to open 1723 and 500 on the pix, your vpdn configuration allows pptp to bypass conduit/acl checks when it is enabled (the sysopt connection permit-pptp command). However, I think you do need to ensure you have permitted 1723 outbound (likely) and GRE (protocol 47) inbound (unlikely), and that you are using a 1-to-1 static NAT translation between your inside private address on your network and (one of) your public address on your outside block.

If you only have PAT and are not able to configure a static NAT entry then I don't think it will work. The alternative would be to configure an NAT-T aware IPSEC VPN tunnel to the Pix using the Cisco VPN Client, which will happily work with PAT - details of how to configure this can be found here:

and nat-t here:



New Member

Re: vpn issues with windows based vpn

Hi Kev

I did not expect that this is so critical or may be just critical for me. I have attached the config here. It worked pretty well when Linksys router was in place and just these issues after replacing with PIX. Unfortunately I dont have much time and I may have to revert back if this doesnt work in next few hours.

I am not sure if I am doing some basic mistakes here about the user authentication etc. When I enable logging, I am getting this message. PPTP: Call id 32975, no session

Can you please check the config and advise. I am looking at other solutions now. Right now I am not using any Cisco VPN client. I guess these are not free right?

Thanks for all your time

New Member

Re: vpn issues with windows based vpn

Hi Kev

I have removed the static translations for PPTP and authentication is done locally by PIX and that worked.

Thanks for your time and help