Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix 501 PPTP VPN

At my office I have a PIX 515 that is configured for a PPTP VPN. I am able to create a VPN tunnel from home to my office using the Microsoft VPN client. I recently purchased a PIX 501 for my home. When I try to create a VPN from my office to my home, the tunnel gets created, however, it hangs at authentication. I am using local authentication on the PIX 501. I have the config on my 501 the same as I configured the 515 at my office (except for the local ip pool). The network (lan) ip scheme at my office and home are different (office, home Here is the config of the 501:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxxx

hostname pixfirewall


clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


access-list vpnlist permit ip

pager lines 24

logging on

logging trap debugging

logging facility 23

logging host inside

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool ppto-pool

pdm location inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

access-group vpnlist in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 128 required

vpdn group 1 client configuration address local ppto-pool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn enable outside

dhcpd address inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80



Interesting thing, it does not show the username being sent or the mppe key strength in the syslog:

2004-03-15 19:11:53 Local7.Debug %PIX-7-710001: TCP access requested from 65.163.x.x/11484 to 65.96.x.x/pptp

2004-03-15 19:11:53 Local7.Debug %PIX-7-710002: TCP access permitted from 65.163.x.x/11484 to outside:65.96.x.x/pptp

2004-03-15 19:12:34 Local7.Info %PIX-6-603104: PPTP Tunnel created, tunnel_id is 8, remote_peer_ip is 65.163.x.x, ppp_virtual_interface_id is 1, client_dynamic_ip is, username is , MPPE_key_strength is None



Re: Pix 501 PPTP VPN


If you have a 501 at home and a 515 at the office, why don't you just setup a site-to-site VPN connection? Here is a good document on the subject using IPSec:

Hope this helps.


New Member

Re: Pix 501 PPTP VPN


Thanks for the reply. I was reading up on site-to-site this morning. I think that is what I will do.


New Member

Re: Pix 501 PPTP VPN

Just to answer your question...It's the FIXUP for the PPTP protocol on the PIX at the house...

enable it with the correct Port and your PPTP will Pass throught the 501 fine

New Member

Re: Pix 501 PPTP VPN

Add the following on PIX 501:

nat (inside) 0 access-list vpnlist


New Member

Re: Pix 501 PPTP VPN

Also, make sure if you have 6.3 add the following on both PIX, This will enable PPTP pass through on PIX

sysopt connection permit-pptp


CreatePlease to create content