Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


XP pptp client through PIX to 2k Server on DSL

Posted on 2003-03-06
Medium Priority
Last Modified: 2007-12-19
Using BellSouth PPPoE DSL at home, DHCP assigned IP address, I need to be able to use XP Pro to VPN via PPTP & MS's client to my office.  The office has a correctly config'd firewall that allows PPTP sessions to go to the server.  If I use a $50 Linksys BEFSR41 I can VPN with no probelms; however, using a PIX 501 v6.2(2) I cannot.  

This is how I need traffic to flow:

MS PPTP client -> PIX501/DSL -> Internet -> MS PPTP Server

I get this error in the syslog:

Mar 06 17:35:37 %PIX-3-305006: regular translation creation failed for protocol 47 src inside: dst outside:a.b.c.d

All the Cisco docs point to having to create a static mapping between the outside & inside IPs; however, with this DSL service the IP changes quite often so that's no good.  Surely if a $50 Linksys can do this a $450 PIX can too, am I wrong?

This is my current setup:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix501
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
pager lines 24
logging on
logging trap debugging
logging facility 23
logging host inside
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXXXXXXXXXXX
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet inside
telnet timeout 5
ssh timeout 5
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname XXXXXXXXXXXXXXXXXX
vpdn group pppoe_group ppp authentication pap
vpdn username XXXXXXXXXXXXXXXXXX password *********
dhcpd auto_config outside
terminal width 80
Question by:bbergin
  • 6
  • 2
LVL 79

Expert Comment

ID: 8085626
You are correct. PIX won't do it. It has to do with nat-transparency (IPSEC passthrough) that PIX 6.3 will implement, but it's not out yet. The only way to use a client on the inside of a PIX is to do a one-one static nat map.

The closest you can get is a static PAT and use an IPSEC client:
static (inside,outside) tcp interface 500 500
static (inside,outside) udp interface iskamp
LVL 79

Expert Comment

ID: 8085636
Sorry, I posted too soon before I finished typing..

The closest you can get is a static PAT and use an IPSEC client:
static (inside,outside) tcp interface esp esp
static (inside,outside) udp interface iskamp isakmp
static (inside,outside) udp interface 10000 10000

PPTP will not work with PAT because it is dependent on GRE which has no concept of ports.

Author Comment

ID: 8085758
How do Nexland (www.nexland.com) and Linksys do it then?
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 79

Expert Comment

ID: 8085814
By enabling ipsec passthrough. I've had this conversation with the Cisco PIX development team. The PIX was designed to be one of the most secure firewalls on the market. As such, there are certain 'convenience' items that are left out of the PIX. It is also due to the Adaptave Security Algorithm used in the PIX that is not implemented in a soho router.
It was designed to meet US Government FIPS 140 certification standards, as well as certification by the National Security Agency, NSA, Evaluation Assurance Level 4. No SOHO router/firewall can hope to stand up to these tough standards.

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.

LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 8091115
You'll be happy to know that the new PIX version 6.3 supports nat transparency:


It's not available for download just yet, though.

LVL 79

Expert Comment

ID: 8442634
G'day, bbergin
It has been 56 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm

Author Comment

ID: 8443909
I opened a TAC ticket with Cisco on 3/6/03 and was given the ßeta code for 6.3 first thing on 3/7/03, so while Imoore did post an answer, Cisco actually solved it.  That version of 6.3 as well as the RTM does indeed fix the problem as posted.
LVL 79

Expert Comment

ID: 8637125
No comment has been added lately (32 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to lrmoore

Please leave any comments here within 7 days.



EE Cleanup Volunteer
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question