Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Microsoft VPN does not work through PIX/ASA


We are dealing with the same problem in two different scenarios: PIX 515 and ASA 5510.

In both cases we have an internal Windows 2003 server behind the firewall with RRAS service running, so that remote Windows XP clients connect using native PPTP capabilities. However, these clients are not even authenticated, VPN tunnels are not completed.

We are sure that Windows configurations are good, the problem is on PIX/ASA. Surprisingly, GRE traffic is registered in PIX/ASA logs:

2009-01-06 23:23:53 Local4.Info %PIX-6-302013: Built inbound TCP connection 3315921 for ( to inside: (tt.zz.yy.xx/1723)

2009-01-06 23:23:53 Local4.Info %PIX-6-302017: Built inbound GRE connection 3315922 from ( to inside: (tt.zz.yy.xx/14579)

2009-01-06 23:23:53 Local4.Info %PIX-6-302017: Built outbound GRE connection 3315923 from inside: (tt.zz.yy.xx) to (

2009-01-06 23:24:30 Local4.Info %PIX-6-302014: Teardown TCP connection 3315921 for to inside: duration 0:00:37 bytes 732 TCP FINs

We have followed the following Cisco article (scenario with the server inside and clients outside) with unsuccessful results until this moment:

Perhaps NAT and GRE are not easily compatible in PIX/ASA.

Any ideas?

Thank you very much.


Re: Microsoft VPN does not work through PIX/ASA

Hey ..

are you doing a static NAT for the PPTP server ? have you enabled IP inspect pptp ? can you post ur configs ? are there any error logs on the pptp server, which can be of use ?


New Member

Re: Microsoft VPN does not work through PIX/ASA


Yes, static NAT for PPTP server is configured. For instance, this is the configuration of ASA 5510 (PPTP server is

access-list OUTSIDE_in extended permit tcp any host eq pptp

access-list OUTSIDE_in extended permit gre any host

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101

static (inside,outside) tcp interface pptp pptp netmask

I think that "IP inspect PPTP" is not necessary because the server is inside and the clients are outside. But, anyway, we have some configuration related:

class-map global-class

match any

class-map inspection_default

match default-inspection-traffic


policy-map global_policy

class inspection_default

inspect bla bla bla


inspect pptp

service-policy global_policy global

In PPTP server, we could see some errors about GRE in Windows 2003 Event Viewer but they dissapeared when GRE was allowed in the access-list and the static NAT was added.

Thank you very much.

CreatePlease to create content