Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

confusion on sample config for PPTP/GRE pass through on PIX

PIX 506E os 6.1(4)

Ok, I've tried a few different ways to allow my remote users to vpn in and all I really want is to allow these users to be able to get at my win2k server and let that do the authentication. So in looking at the sample config from: http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

I need to verify that the second example is what I need? If so do the remote users have to have static IPs or can I use a general ACL statement that allows all PPTP traffic through the PIX and then being prompted for auth at my server. I know it may be one more hole in the firewall but it is critical to allow these folks to vpn in. Any help is greatly appreciated.

3 REPLIES
Cisco Employee

Re: confusion on sample config for PPTP/GRE pass through on PIX

If the server is on the inside and the clients are on the outside, then the 2nd example is all you need. The server needs a static IP address entry, the clients don't need anything special other than to point to this static'd IP address for the connection.

The ACL on the PIX outside interface has to allow both GRE and TCP/1723 for it to work. Other than that, you should be good to go.

New Member

Re: confusion on sample config for PPTP/GRE pass through on PIX

OK, i'm close to comprehension ;-) but a few more quickies

1. For the acl command for the clients would I enter gre&tcp any commands instead of an assigned IP address? So essentially it would look like this?

access-list acl-out permit gre any host 2X.XXX.84.2

access-list acl-out permit tcp any host 2X.XXX.84.2 eq 1723

static (inside,outside) 2X.XXX.84.2 10.1.0.1 netmask 255.255.255.255 0 0

access-group acl-out in inteface outside

Cisco Employee

Re: confusion on sample config for PPTP/GRE pass through on PIX

Correct. In general you won't know what the client IP addresses are going to be, so the ACL would say FROM any going TO your server. What you have looks correct.

Good luck with it.

104
Views
0
Helpful
3
Replies