XP pptp client through PIX to 2k Server on DSL

Using BellSouth PPPoE DSL at home, DHCP assigned IP address, I need to be able to use XP Pro to VPN via PPTP & MS's client to my office.  The office has a correctly config'd firewall that allows PPTP sessions to go to the server.  If I use a $50 Linksys BEFSR41 I can VPN with no probelms; however, using a PIX 501 v6.2(2) I cannot.  

This is how I need traffic to flow:

MS PPTP client -> PIX501/DSL -> Internet -> MS PPTP Server

I get this error in the syslog:

Mar 06 17:35:37 %PIX-3-305006: regular translation creation failed for protocol 47 src inside: dst outside:a.b.c.d

All the Cisco docs point to having to create a static mapping between the outside & inside IPs; however, with this DSL service the IP changes quite often so that's no good.  Surely if a $50 Linksys can do this a $450 PIX can too, am I wrong?

This is my current setup:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix501
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
pager lines 24
logging on
logging trap debugging
logging facility 23
logging host inside
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXXXXXXXXXXX
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet inside
telnet timeout 5
ssh timeout 5
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname XXXXXXXXXXXXXXXXXX
vpdn group pppoe_group ppp authentication pap
vpdn username XXXXXXXXXXXXXXXXXX password *********
dhcpd auto_config outside
terminal width 80
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You are correct. PIX won't do it. It has to do with nat-transparency (IPSEC passthrough) that PIX 6.3 will implement, but it's not out yet. The only way to use a client on the inside of a PIX is to do a one-one static nat map.

The closest you can get is a static PAT and use an IPSEC client:
static (inside,outside) tcp interface 500 500
static (inside,outside) udp interface iskamp
Sorry, I posted too soon before I finished typing..

The closest you can get is a static PAT and use an IPSEC client:
static (inside,outside) tcp interface esp esp
static (inside,outside) udp interface iskamp isakmp
static (inside,outside) udp interface 10000 10000

PPTP will not work with PAT because it is dependent on GRE which has no concept of ports.
bberginAuthor Commented:
How do Nexland (www.nexland.com) and Linksys do it then?
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

By enabling ipsec passthrough. I've had this conversation with the Cisco PIX development team. The PIX was designed to be one of the most secure firewalls on the market. As such, there are certain 'convenience' items that are left out of the PIX. It is also due to the Adaptave Security Algorithm used in the PIX that is not implemented in a soho router.
It was designed to meet US Government FIPS 140 certification standards, as well as certification by the National Security Agency, NSA, Evaluation Assurance Level 4. No SOHO router/firewall can hope to stand up to these tough standards.

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.

You'll be happy to know that the new PIX version 6.3 supports nat transparency:


It's not available for download just yet, though.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
G'day, bbergin
It has been 56 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
bberginAuthor Commented:
I opened a TAC ticket with Cisco on 3/6/03 and was given the ßeta code for 6.3 first thing on 3/7/03, so while Imoore did post an answer, Cisco actually solved it.  That version of 6.3 as well as the RTM does indeed fix the problem as posted.
No comment has been added lately (32 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to lrmoore

Please leave any comments here within 7 days.



EE Cleanup Volunteer
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.