Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple PPTP Connections through PIX v6.3?

I'm troubleshooting a PIX 506 config and came across the Cisco document:

that says:

"Multiple PPTP Connections Fail when using PAT

You can only have one PPTP connection through the PIX Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the PIX Security Appliance only maps port 0 to one host."

Is this just an old, out-of-date piece of info or is this still an issue even with PIX v6.3 and later? I have other clients using PPTP through a PIX and I'm sure they have multiple simultaneous connections through it to a MS RAS server.

Does anyone know for sure?


Re: Multiple PPTP Connections through PIX v6.3?

If the PPTP clients are on the outside and the PPTP server is on the inside, then the server will need a one-to-one static entry in the PIX and the appropriate protocols allowed in. Once that's done, then you should be able to get multiple connections going.

If however, the PPTP clients are inside and the PPTP server is outside, and you're doing PAT on the PIX (using a nat/global pair), then that get's a bit harder. PPTP is not a TCP or UDP based protocol, and hence the PIX can't PAT it properly because there is no TCP/UDP port number to use.

If you assign each internal PPTP client a one-to-one static translation, then again this will work properly, but this means you need a valid global IP address for each client.

V6.3 code of the PIX does include support for PAT for PPTP, where it uses the tunnel-id parameter within the GRE packet as the port number for PAT'ing.

CreatePlease to create content