Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

swb
New Member

PPTP from intenet to Pix525 and then back to internet?

I have a PIX525 and have recently discovered that it won't provide access to the internet to PPTP clients who themselves access via the internet. For example, if I have a PPTP session active to the PIX from some outside location I can access the internal network without a problem. But accessing the internet generally doesn't work.

My understanding is that because the PPTP connection is on the outside interface, accessesing the internet is prevented because the PIX won't redirect traffic on the outside interface.

I currently have just three of my six PIX physical interfaces defined: outside, dmz and inside. If I defined a fourth interface at a security level above my outside interface and terminated PPTP sessions on that interface, would the PPTP users then be able to get internet access while connected via PPTP?

On paper it seems right, since the PIX would be passing traffic from a higher level interface to a lower-level interface. Although it also seems like it might not, since the route to 0.0.0.0 will still be through the outside interface.

It almost seems like a bug that PPTP sessions can't get back out the PIX. Considering that the clients can already access the network protected by the PIX, what security value is there in blocking authenticated traffic from going back outside to the internet?

2 REPLIES
New Member

Re: PPTP from intenet to Pix525 and then back to internet?

>Although it also seems like it might not, since the route to 0.0.0.0 will still be through the outside interface.

You are absolutely correct here. You cannot have two default gateways.

Been there, done that on this issue. Bottom line is you can't get there from here. Easiest answer is to allow split-tunneling and mandatory use of personal firewall while VPN is active.

You are also correct in that it is the non re-direct feature of the pix that prevents this from working, and also one of the reasons the PIX is such a good firewall. I would not trade this feature for anything.

swb
New Member

Re: PPTP from intenet to Pix525 and then back to internet?

>You are also correct in that it is the non re-direct feature of the pix that prevents this from working, and also one of the reasons the PIX is such a good firewall. I would not trade this feature for anything.

I agree its a good firewall feature, however applying it to PPTP traffic seems like a non-sequitor. PPTP users have authenticated and have access to the internal network, which is supposed to be what's being protected. Preventing them from accessing the outside network seems like a non-defense, and the cynic in me seems to think it might also be a technique for selling dedicated VPN hardware, too...

101
Views
0
Helpful
2
Replies