Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trying to configure PPTP thru PIX (6.3) running PAT

I have configured my PIX (6.3) running PAT to allow a PPTP session from remote Win2K client. The client is authenticated by the PIX, receives it's IP addresss from the pptp-pool and can even ping the internal Win XP Pro machine. So far, so good.

The problem starts when I try to browse to my XP machine or search for it by IP address. When I try, I get the following error from my PIX:

%PIX-3-106011: Deny inbound (No xlate) udp src outside: dst outside:

%PIX-3-106011: Deny inbound (No xlate) udp src outside: dst outside:

%PIX-3-106011: Deny inbound (No xlate) udp src outside: dst outside:

Obviously there is no static mapping because I am using PAT, but doesn't 6.3 code support PPTP w/ PAT?

Here's my PIX config:

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password


hostname Lab-PIX


fixup protocol esp-ike

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit ip

access-list 100 permit ip

access-list 100 deny ip any any

pager lines 24

logging on

logging buffered debugging

logging trap warnings

logging host inside

icmp deny any echo-reply outside

icmp permit any unreachable outside

icmp permit any time-exceeded outside

icmp permit any echo-reply outside

mtu outside 1500

mtu inside 1500

ip address outside X.X.X.X

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-pool

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0 0

access-group 100 in interface outside

route outside X.X.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username XXXXXX password *********

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Thanks for any help on this!

  • Other Security Subjects

Re: Trying to configure PPTP thru PIX (6.3) running PAT


PIX OS V6.3 supports PPTP pass-thru, ie when PPTP client machine sitting behind the PIX FW, and PIX is configured to do PAT, in that case PPTP fixup works to a MS VPN Server.

In your case you are connecting to a PIX(/w 6.3), and it seems like some MS networking issue, try configuring a WINS/DNS IP address assignment using:

vpdn group group_name client configuration dns dns_server_ip1 [dns_server_ip2]

see if that helps.



This widget could not be displayed.