Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

passing W2K PPTP through PIX 6.0 to external address

I'm trying to establish a W2K pro PPTP tunnel through a PIX out to an external Multi-homed W2K server (across public internet). When I initiate the client (secure side of PIX) it contacts the external server and begins to authenticate but eventually times out. I've verified the client PPTP setup using an external dial-out account (bypassing my entire network) and it connects just fine.

My first guess is the PAT on the firewall is interfering with the W2K PPTP handshake - I know the Cisco Client allows for IPsec though NAT but I couldn't find anything like that in the W2K setup ...

Thanks,

Ryan

8 REPLIES
New Member

Re: passing W2K PPTP through PIX 6.0 to external address

doh! I should have kept looking. A previous post ansered this question for me I think. PAT is the issue.

Let me know if you have any ideas on a work around ...

Thanks,

Ryan

pag
New Member

Re: passing W2K PPTP through PIX 6.0 to external address

What was the solution for your problem. I'm having the same issue

New Member

Re: passing W2K PPTP through PIX 6.0 to external address

Well right now I'm going to forget the internal client configuration because I don't want to short-circuit our DMZ and bring a direct connection straight through. I'm going to try a Lan-to-lan connection using our 3030. I've initiated lan-to-lan with 2 PIXs using IPsec but never with PPTP to a W2K server. Should be tons-O-fun.

New Member

Re: passing W2K PPTP through PIX 6.0 to external address

You need to set up a conduit or access list through the firewall with a static ip address to the internal computer. The internal computer can send packets out, but the packets are blocked at the firewall from getting back in. I was told to open up ports for PPTP,(I can't remember what they were) but that didn't work. I ended up allowing TCP from host to host(from the IP address of the PC outside your network to the external(public) ip of the computer inside your network. I hope this helps, if you need more help I can post some configs.

jp

New Member

Re: passing W2K PPTP through PIX 6.0 to external address

I have tried allowing pptp access, with no luck, and would realy like to see your configs. What i have done: Created static 1-to-1 Nat translation, opened tcp eq 1723 & protocol 47 (gre) outbound and inbound.

static (inside,outside) 12.x.x.x 10.x.x.x netmask 255.255.255.255

access-list allow_outbound permit gre 10.0.0.0 255.0.0.0 any

access-list allow_outbound permit tcp 10.0.0.0 255.255.0.0 any eq 1723

access-list allow_inbound permit ip any host 12.x.x.x

access-list allow_inbound permit gre any host 12.x.x.x

access-list allow_inbound permit tcp any host 12.x.x.x eq 1723

In addition, i allowed ALL outbound & ALL inbound to and from any with NO luck (just for testing).

Thanks,

Mike

New Member

Re: passing W2K PPTP through PIX 6.0 to external address

There are two ways you can do it:

The first way allows for a point to point access from a specific host to a specific host. The second way allows for VPN PPTP connections to anywhere and back, but it is a little less secure. It looks like the only difference between our configs is you don't have the permit UDP statement. Let me know if you have any questions.( the 216 in my config is the external host that we are connecting to)

JP

static (inside,outside) 237.xx.xx.1 10.xx.xx.1 netmask 255.255.255.255 0 0

access-list REMOTE permit ip host 216.xx.xx.xx host 237.xx.xx.1

static (inside,outside) 237.xx.xx.2 10.xx.xx.2 netmask 255.255.255.255 0 0

access-list REMOTE permit ip any host 237.xx.xx.2

access-list REMOTE permit udp any host 237.xx.xx.2

New Member

Re: passing W2K PPTP through PIX 6.0 to external address

jp,

I thought the PIX had implicit permit all for outbound connections initiated from the inside (secure leg) and automatically allowed the reply to pass back through as long as the reply packet was good. Implicit deny all is only applied to connections initiated from the outside in right?

I don't have to open up return ports for outbound http traffic, etc ...

Just wondering ...

Thanks,

Ryan

New Member

Re: passing W2K PPTP through PIX 6.0 to external address

Try a debug packet on outside (specify W2K server as source in order to filter the traffic) in order to see what arrives on PIX port and why it's discarded.

Maurizio

113
Views
0
Helpful
8
Replies