Multiple PPTP Connections through PIX v6.3?

thomasdzubin · ‎11-05-2007

I'm troubleshooting a PIX 506 config and came across the Cisco document:

http://www.cisco.com/warp/public/110/pix_pptp.html

that says:

"Multiple PPTP Connections Fail when using PAT

You can only have one PPTP connection through the PIX Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the PIX Security Appliance only maps port 0 to one host."

Is this just an old, out-of-date piece of info or is this still an issue even with PIX v6.3 and later? I have other clients using PPTP through a PIX and I'm sure they have multiple simultaneous connections through it to a MS RAS server.

Does anyone know for sure?

ebreniz · ‎11-12-2007

If the PPTP clients are on the outside and the PPTP server is on the inside, then the server will need a one-to-one static entry in the PIX and the appropriate protocols allowed in. Once that's done, then you should be able to get multiple connections going.

If however, the PPTP clients are inside and the PPTP server is outside, and you're doing PAT on the PIX (using a nat/global pair), then that get's a bit harder. PPTP is not a TCP or UDP based protocol, and hence the PIX can't PAT it properly because there is no TCP/UDP port number to use.

If you assign each internal PPTP client a one-to-one static translation, then again this will work properly, but this means you need a valid global IP address for each client.

V6.3 code of the PIX does include support for PAT for PPTP, where it uses the tunnel-id parameter within the GRE packet as the port number for PAT'ing.