Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help needed to connect to remote PPTP VPN via PIX 515e

Hello,

A user in our office needs to connect to a client's remote PPTP VPN but can't connect.  The user is running Windows 7.  We have a Cisco PIX 515e firewall that is running PIX Version 6.3(3) - this is what our user is having to go through to try and make the connection to the client's remote VPN.

The client's network guys have come back and said the issue is at our side.  They say that they can see some of our traffic but not all of it. The standard error is shown below, and they say it's symptomatic of the client-side firewall not allowing PPTP traffic:

"A connection between the VPN server and the VPN client XXX.XXX.XXX.XXX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets."

I have very little firewall experience and absolutely no Cisco experience I'm afraid.  From looking at the PIX config I can see the following line:

fixup protocol pptp 1723.


Does this mean that the PPTP protcol is enabled on our firewall?  Is this for both incoming and outgoing traffic?

I can see no reference to GRE 47 in the PIX config.  Can anyone advise me what I should look for to see if this has been enabled or not?

I apologise again for my lack of knowledge.  Any help or advice would be very gratefully received.


Ros

5 REPLIES

Help needed to connect to remote PPTP VPN via PIX 515e

Hi! Please paste your PIX full config here.

fixup protocol pptp means that there is pptp protocol inspection enabled.

New Member

Help needed to connect to remote PPTP VPN via PIX 515e

Hi Eugene,

Thank you for taking the time to reply to me.  Please see our full PIX config below.  I've XX'd out names and IP addresses as I'm never comfortable posting those type of details in a public forum.  I hope that the information below is still sufficient for you.

Thanks again for your help,

Ros

PIX(config)# en

Not enough arguments.

Usage:  enable password [] [level ] [encrypted]

        no enable password level

        show enable

PIX(config)# show config

: Saved

: Written by enable_15 at 10:30:31.976 GMT/BDT Mon Apr 4 2011

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security10

enable password XXX encrypted

passwd XXX encrypted

hostname PIX

domain-name XXX.com

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name XX.XX.XX.XX Secondary

access-list outside_access_in permit tcp XX.XX.XX.XX 255.255.255.240 host XX.XX.XX.XX eq smtp

access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq https

access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 993

access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 587

access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 82

access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82

access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82

access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 8082

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82

access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp

access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.0.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl deny udp any any eq 135

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0

access-list outside_cryptomap_40 permit ip any XX.XX.XX.XX 255.255.255.0

access-list outside_cryptomap_60 permit ip any XX.XX.XX.XX 255.255.255.0

access-list USER1 permit ip any XX.XX.XX.XX 255.255.255.0

access-list outside_cryptomap_10 permit ip any XX.XX.XX.XX 255.255.255.0

access-list outside_cryptomap_20 permit ip any XX.XX.XX.XX 255.255.255.0

access-list outside_cryptomap_30 permit ip any XX.XX.XX.XX 255.255.255.0

access-list outside_cryptomap_50 permit ip any XX.XX.XX.XX 255.255.255.0

access-list outside_cryptomap_70 permit ip any XX.XX.XX.XX 255.255.0.0

access-list USER2 permit ip any XX.XX.XX.XX 255.255.255.0

access-list USER3 permit ip any XX.XX.XX.XX 255.255.255.0

access-list USER4 permit ip any XX.XX.XX.XX 255.255.0.0

pager lines 24

logging on

logging host inside XX.XX.XX.XX

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside XX.XX.XX.XX 255.255.255.248

ip address inside XX.XX.XX.XX 255.255.255.0

no ip address DMZ

ip audit info action alarm

ip audit attack action alarm

pdm location XX.XX.XX.XX 255.255.255.255 inside

pdm location XX.XX.XX.XX 255.255.0.0 outside

pdm location XX.XX.XX.XX 255.255.255.0 outside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1

route inside XX.XX.XX.XX 255.255.0.0 XX.XX.XX.XX 1

timeout xlate 3:00:00

timeout conn 2:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp authenticate

ntp server XX.XX.XX.XX source outside prefer

http server enable

http XX.XX.XX.XX 255.255.0.0 outside

http XX.XX.XX.XX 255.255.255.0 outside

http XX.XX.XX.XX 255.255.255.255 inside

snmp-server host inside XX.XX.XX.XX

no snmp-server location

no snmp-server contact

snmp-server community XXX

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map cola 20 set transform-set ESP-3DES-MD5

crypto dynamic-map dod 10 set transform-set ESP-3DES-MD5

crypto map outside_map 10 ipsec-isakmp dynamic cola

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer XX.XX.XX.XX

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 25 ipsec-isakmp

crypto map outside_map 25 match address USER1

crypto map outside_map 25 set peer XX.XX.XX.XX

crypto map outside_map 25 set transform-set ESP-3DES-MD5

crypto map outside_map 30 ipsec-isakmp

crypto map outside_map 30 match address outside_cryptomap_30

crypto map outside_map 30 set peer XX.XX.XX.XX

crypto map outside_map 30 set transform-set ESP-3DES-MD5

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set peer XX.XX.XX.XX

crypto map outside_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map 50 ipsec-isakmp

crypto map outside_map 50 match address outside_cryptomap_50

crypto map outside_map 50 set peer XX.XX.XX.XX

crypto map outside_map 50 set transform-set ESP-3DES-MD5

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer XX.XX.XX.XX

crypto map outside_map 60 set transform-set ESP-3DES-MD5

crypto map outside_map 70 ipsec-isakmp

crypto map outside_map 70 match address outside_cryptomap_70

crypto map outside_map 70 set peer XX.XX.XX.XX

crypto map outside_map 70 set transform-set ESP-3DES-MD5

crypto map outside_map 75 ipsec-isakmp

crypto map outside_map 75 match address USER4

crypto map outside_map 75 set peer XX.XX.XX.XX

crypto map outside_map 75 set transform-set ESP-3DES-MD5

crypto map outside_map 80 ipsec-isakmp

crypto map outside_map 80 match address USER2

crypto map outside_map 80 set peer XX.XX.XX.XX

crypto map outside_map 80 set transform-set ESP-3DES-MD5

crypto map outside_map 90 ipsec-isakmp

crypto map outside_map 90 match address USER3

crypto map outside_map 90 set peer XX.XX.XX.XX

crypto map outside_map 90 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet XX.XX.XX.XX 255.255.0.0 outside

telnet XX.XX.XX.XX 255.255.255.255 inside

telnet XX.XX.XX.XX 255.255.255.255 inside

telnet XX.XX.XX.XX 255.255.255.255 inside

telnet timeout 30

ssh XX.XX.XX.XX 255.255.255.248 outside

ssh XX.XX.XX.XX 255.255.255.248 outside

ssh timeout 30

management-access inside

console timeout 0

terminal width 80

Cryptochecksum:XXX

PIX(config)#

Help needed to connect to remote PPTP VPN via PIX 515e

Hi! Are you sure that your ISP permits pptp connections? You can isolate problem in such manner:

remove pix from the network edge and place generic pc. configure address/mask/gw on pc (the same that was used on the pis's outside interface) and try to connect to pptp server from this pc. If it will be sucessfull than problem definitely in you isp.

HTH. Please rate if it was helpful.

New Member

Help needed to connect to remote PPTP VPN via PIX 515e

Hi Eugene,

Thank you so much for replying again. 

I'm not really in a position to remove the PIX from the network edge as that will disrupt things for all my users.

Can you tell from the PIX config that I posted whether an internal user should be able to connect to an external PPTP server?  Is that why you're suggesting it might be an issue with my ISP?

I'll try contacting my ISP directly to see if they permit PPTP connections.

Kind regards,

Ros

New Member

Help needed to connect to remote PPTP VPN via PIX 515e

Hello again,

Just to confirm that I've spoken to our ISP and they are definitely not blocking anything.  So it must be our PIX firewall that is causing the problem.

Kind regards,


Ros

984
Views
0
Helpful
5
Replies
CreatePlease login to create content