Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX not allowing outbound VPN traffic

We have a remote site that needs to connect back to the corporate office's Win2K server. We are in the process of implementing a VPN, however this site needs access before the VPN is in place. We had thought to have the individual machines on the remote LAN load up the Dial-up VPN drivers and establish connections back to the Win2K server.

Our problem: Our vendor claims that this is not possible with the Cisco PIX that is currently providing access for the remote LAN to the internet. The stated reason is that the PIX firewall rules are all or nothing, and so to open outbound connections up to corporate, they would also have to open all inbound connections into the PIX. This seems like an awfully strange way to build a network edge device, but I must admit that I am not familiar with the PIX devices directly.

Any thoughts on the matter? Both Corporate and Remote have fixed IP addresses. Also this is extremely temporary until we get the VPN stuff tested in our testing lab.

New Member

Re: PIX not allowing outbound VPN traffic

Your vendor is not correct. You can use access lists on PIX firewall's in much the same way you can use them on routers. On a per interface basis. In it's simplest form this means you can apply an access list to the inside interface for all outgoing traffic, and another (different) access list for the outside interface for incoming traffic. You can certainly configure a PIX to allow PPTP or IPSEC traffic through from the Internet and nothing else.

That said, if you are trying to use this Win2k server from behind the firewall using PAT you will probably come into problems.Might be easier to use the border devices to create a LAN to LAN VPN.


New Member

Re: PIX not allowing outbound VPN traffic

Hmm, good answers, I had figured that PIX would work similarly to the routers I am familiar with. Quicky clarification of network setup

Corporate LAN:

Internal LAN -> Win2k -> Internet

"Yes Win2k is router (shudder) running NAT"

Remote LAN:

Internal LAN -> PIX -> Internet

PIX is router on Remote LAN.

Windows VPN will not work from remote LAN across Internet to Win2K server. Windows VPN DOES work from dial-ups.

Vendor states that PIX configuration is reason that Connections fail from Remote LAN to Win2K server, and only way to fix this is to open up PIX to all traffic from the internet.

Vendor suggested PIX to Win2k LAN-to-LAN connectivity, but since NAT enabled on Win2k internal interface, was unable to make work.

Any more thoughts?

New Member

Re: PIX not allowing outbound VPN traffic

No "this'll definitely work" ideas.

The only solution I can see you working is putting a VPN capable device either side of the Win2K box. My guess would be the easiest way to do it would be to put the device inside the Win2K and do a static translation to it. Not sure if this is possible though, Win2K not my strong point.

Are you using xDSL or similar to connect the Win2K server to the Internet ?Is it possible to replace it with a router or firewall ?

Still not sure I agree with the Vendor. It's usually the NAT or PAT the PIX does, that causes problems with Microsoft VPN's. This will not be fixed by opening all ports on the PIX.

I could be wrong, correct me if I am.


CreatePlease to create content