Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX's firewall rule


I'm running a site-to-site VPN at Cisco PIX, and when I scaned my pix i see port 1723 open, now i what i want is to filtre it and allow only my other vpn server to access it and no one else, so i need to write 2 rules, one which will allow other vpn server to access my vpn server and another deny everyone else,

now the problem thats i'm having is i'm allowing or denying traffic from internet to my outside interface due to my outside interface is the one that face internet, problem itself is i can't create a rule which is

deny any port pptp to my outside port pptp

it's saying

no communication is allowed between two interfaces which have same security level

how whould i go about it? how do i deny traffic from internet? to my outside interface?

thanks in advance


Re: PIX's firewall rule


Unfortunately, you cannot do this. As soon as you configure the PIX to terminate PPTP connections from clients, the PIX starts listening on TCP/1723. Access-lists on the PIX only affect traffic *through* the PIX rather than *to* the PIX. Ideally, you would want to have another device inside the PIX terminating the PPTP tunnels and let the PIX filter which devices were allowed to even get to the PPTP server. However, this is not a cost-effective solution in a lot of cases. The behavior you have seen is a side-effect of enabling services on a firewall rather than letting it just be a firewall. Hope this helps explain.


New Member

Re: PIX's firewall rule

well.. i mean what good is this firewall for if you can't filter anything there? vpn (pptp) was just an example.. let's say i want to filter another port.. or i mean.. what can I filter? i just dont understand..

New Member

Re: PIX's firewall rule


What Scott is trying to say is, if you really want the PIX to be able to filter all traffic traversing it, you need to stop using it as a device other than a firewall (i.e. a VPN server...). Basically, don't use it for VPN connections, don't use it for DHCP, and don’t use any services other than the firewall itself... When you activate this service, you are (like you have discovered), limiting your ability to control all traffic your PIX will receive.

If you are really concerned with ultimate control (which you should be if you are security minded), either start using a Microsoft VPN server on the inside of the pix, that way you can control at the IP level which machines can make a connection to 1723 to the VPN server's IP. Or, you can place a second pix in front of your existing one, which will act as your true first line of defense.

Now, I have to say, I enjoy the fact that PPTP is a service option on the pix, but it would also be nice if Cisco could update the IOS so that any enabled services on the PIX itself sit behind the firewall process, then access-lists can protect the PIX's other services.