XP pptp client through PIX to 2k Server on DSL

Posted on 2003-03-06
Medium Priority
Last Modified: 2007-12-19
Using BellSouth PPPoE DSL at home, DHCP assigned IP address, I need to be able to use XP Pro to VPN via PPTP & MS's client to my office.  The office has a correctly config'd firewall that allows PPTP sessions to go to the server.  If I use a $50 Linksys BEFSR41 I can VPN with no probelms; however, using a PIX 501 v6.2(2) I cannot.  

This is how I need traffic to flow:

MS PPTP client -> PIX501/DSL -> Internet -> MS PPTP Server

I get this error in the syslog:

Mar 06 17:35:37 %PIX-3-305006: regular translation creation failed for protocol 47 src inside: dst outside:a.b.c.d

All the Cisco docs point to having to create a static mapping between the outside & inside IPs; however, with this DSL service the IP changes quite often so that's no good.  Surely if a $50 Linksys can do this a $450 PIX can too, am I wrong?

This is my current setup:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix501
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
pager lines 24
logging on
logging trap debugging
logging facility 23
logging host inside
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXXXXXXXXXXX
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet inside
telnet timeout 5
ssh timeout 5
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname XXXXXXXXXXXXXXXXXX
vpdn group pppoe_group ppp authentication pap
vpdn username XXXXXXXXXXXXXXXXXX password *********
dhcpd auto_config outside
terminal width 80
Question by:bbergin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
LVL 79

Expert Comment

ID: 8085626
You are correct. PIX won't do it. It has to do with nat-transparency (IPSEC passthrough) that PIX 6.3 will implement, but it's not out yet. The only way to use a client on the inside of a PIX is to do a one-one static nat map.

The closest you can get is a static PAT and use an IPSEC client:
static (inside,outside) tcp interface 500 500
static (inside,outside) udp interface iskamp
LVL 79

Expert Comment

ID: 8085636
Sorry, I posted too soon before I finished typing..

The closest you can get is a static PAT and use an IPSEC client:
static (inside,outside) tcp interface esp esp
static (inside,outside) udp interface iskamp isakmp
static (inside,outside) udp interface 10000 10000

PPTP will not work with PAT because it is dependent on GRE which has no concept of ports.

Author Comment

ID: 8085758
How do Nexland (www.nexland.com) and Linksys do it then?
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

LVL 79

Expert Comment

ID: 8085814
By enabling ipsec passthrough. I've had this conversation with the Cisco PIX development team. The PIX was designed to be one of the most secure firewalls on the market. As such, there are certain 'convenience' items that are left out of the PIX. It is also due to the Adaptave Security Algorithm used in the PIX that is not implemented in a soho router.
It was designed to meet US Government FIPS 140 certification standards, as well as certification by the National Security Agency, NSA, Evaluation Assurance Level 4. No SOHO router/firewall can hope to stand up to these tough standards.

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.

LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 8091115
You'll be happy to know that the new PIX version 6.3 supports nat transparency:


It's not available for download just yet, though.

LVL 79

Expert Comment

ID: 8442634
G'day, bbergin
It has been 56 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm

Author Comment

ID: 8443909
I opened a TAC ticket with Cisco on 3/6/03 and was given the ßeta code for 6.3 first thing on 3/7/03, so while Imoore did post an answer, Cisco actually solved it.  That version of 6.3 as well as the RTM does indeed fix the problem as posted.
LVL 79

Expert Comment

ID: 8637125
No comment has been added lately (32 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to lrmoore

Please leave any comments here within 7 days.



EE Cleanup Volunteer
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question