Pix Firewall PPTP VPN issue

my configuration is
internet-->netopia router-->cisco pix firewall-->client computers

i am trying to establish a vpn connection where the client computers are on the inside of the firewall and the server is outside, offsite. i can open the vpn tunnel fine, but when i enable the gre for the IP of the vpn client computer, all our sites we host here, and our mail server (which is also hosted on the inside of the firewall) no longer function. in other words, they are not accessable to anything outside the firewall.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

scraig84Connect With a Mentor Commented:
GRE typically requires a one-to-one NAT - no PAT involved.  If you are hosting all of those services by using PAT to redirect ports off of a single IP address and then you NAT that address directly to one single inside IP for the purpose of GRE, you will kill all the PAT statements.  Do you only have one outside (public) address or is there a block of addresses that you can use?
Okay, can you give a little more in depth information. Please explain your current network setup. Your setting up a GRE tunnel on a Cisco pix to a client site and whenever you bring it up you lose connectivity to servers behind the firewall, correct? This could either be a routing issue or a firewall configuration issue. If your bringing up a gre tunnel and assigning it an IP, you will evidently be routing thru this tunnel. You may want to configure the Pix so that it only allows traffic from one machine to get thru the tunnel and test it from there. Check your route tables to make sure that nothing is attempting to use the tunnel when it is brought up. If your using any dynamic protocols like eigrp or ospf, make sure that you exempt that interface from the routing table while your testing.
I think Scraig84 has hit it on the head, it does sound like you are doing PAT and the PIX definitely requires a one to one NAT per client machine for GRE.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

I second geroffyn's motion that scraig84 hit the nail on the head.
erostosthenesAuthor Commented:
actually we are using both. there is a list of IPs for use on NAT, and in the case of overflow, there is one PAT IP. i sort of get the idea that using the access-list command to enable the gre turns off the access group, but i don't know enough about Pix firewall rules to be sure, nor do i know an alternative if that is the case.
You cannot PAT GRE.  As long as you are using static one-to-one nat for GRE per clietn, and the NATed address is not part of another NAT pool, this will work.  Here is an example of the NAT and ACL from a functioning PIX v 6.1.

(assuming no outbound ACL)

name 10.0..0.56 PPTP-HOST

access-list outside_access_in permit gre any host
access-list outside_access_in permit tcp any host eq 1723

static (intf3,outside) PPTP-HOST netmask 0 0
Still the same issue. As long as there is a free address in the NAT pool, a user may be able to make a connection. Once they are used up and the PAT overload takes effect, no more users can make a PPTP connection.

Can you post an example of your access-list when you attempt to enable gre? Are you applying it inbound or outbound, and to which interface?
Have any of these comments been of any help to you? Do you need more information?
It appears that you have forgotten this question. I will ask Community Support to

force close it unless you finalize it within 7 days.


Please take a moment to revisit this question & reward your points or post additional

commentary as appropriate.  Unless there is objection or further activity.

EXPERTS, please feel free to make a recommendation for points award.

If you feel that your question was not properly addressed, or that none of the

comments received were appropriate answers, please post a request in Community support

(with a link to this page) to refund your points.  The link to the Community Support

area is: http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt


Question abandoned; force-accepted.

EE Admin
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.