Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PIX501: Disconnecting PPTP VPN's

Hello,

I have a PIX 501 that stands between my DMZ and private network. I have recently added the fixup protocol pptp 1723 line to my firewall. When employees have a PPTP VPN established it is very unstable. There connection is severred within a minute or two. Any ideas as to what the cause may be? Is there a better or alternative method to allow pptp? So far this has been the only method I have found. Thanks for your help. Here is my config:

PIX501# show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ---------

passwd --------

hostname PIX501

domain-name ------------

fixup protocol dns maximum-length 51

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit ip any any log

access-list inside_outbound permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 172.17.xx.1 255.255.255.0

ip address inside 10.xx.xx.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inside_outbound in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 172.17.xx.17 1

route outside 172.22.xx.0 255.255.255.0 172.17.xx.12 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.xx.xx.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.xx.xx.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.xx.xx.1-10.xx.xx.128 inside

dhcpd dns 172.17.xx.10 209.xx.xx.xx

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain --------

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

: end

3 REPLIES
Silver

Re: PIX501: Disconnecting PPTP VPN's

Try:

"clear crypto isakmp sa" and "clear crypto ipsec sa" on the pix.

Cisco Secure PIX Firewall Frequently Asked Questions:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

Community Member

Re: PIX501: Disconnecting PPTP VPN's

I am experiencing this exact same problem.

I am running 6.3(4). My client computer can launch a pptp session to an outside server fot about 3 minutes. Then the connection just disconnects itself. I have tried the following so far:

clear crypto isakmp

clear crypto ipsec sa

I have also tried bumping up the time for xlate timeout. This was originally set for 5 minutes and I changed it to 2 hours.

None of this has worked so far. I am not sure if this is a bug in 6.3(4) and 6.3(5) or if this is a configuration issue.

Does anyone else have any ideas???

Community Member

Re: PIX501: Disconnecting PPTP VPN's

I didn't see how clearing isakmp and ipsec would do anything, but i tried it anyway and as I assumed, nothing changed. I have also noticed that I lose DNS at least once a day for around 5 minutes or so. I wonder if it is related.

372
Views
0
Helpful
3
Replies
CreatePlease to create content