Outgoing VPN in Hotel Setting

Posted on 2004-09-09
Last Modified: 2013-11-16
I am setting up a PIX 515E in a hotel setting and I would like to allow guests VPN access back to their respective offices.  Essentially the PIX should allow VPN traffic to pass through from the hotel guest's PC back to their respective server.  There are three interfaces on the PIX:  outside (internet), inside (hotel staff), and rooms (hotel guests).

For PPTP, my understanding is that I need to open the pptp/tcp port and Protocol 47 (GRE).  I have created access rules for those between the rooms and outside interfaces, but I still can't get it to work.  Is there something else that needs to be done?
Question by:rsochan
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2

Expert Comment

ID: 12022402

If this does not work then the user who is trying to access his/her VPN may be using a non-standard port/software to connect.
LVL 23

Expert Comment

by:Tim Holman
ID: 12027910
TCP port 1723 and GRE should be all you need for PPTP VPNs, but you may need udp 500, 4500 and 10000 ports allowed through for IPSEC VPNs too.

Author Comment

ID: 12028394
When I try to PPTP VPN from my laptop to my office server from home (using a simple D-Link gateway router), I have no problem.  When I try the same thing at the hotel thru the PIX firewall, the connection seems to get hung up on the verifying password part.  The document that LimeSMJ pointed me to suggests that the PIX requires more than just opening TCP/1723 and allowing GRE.  There needs to be some kind of link between the two.  I just haven't figured out how to do this in the PIX gui yet.
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

LVL 23

Expert Comment

by:Tim Holman
ID: 12039280
You need to do 'fixup pptp' as well on the PIX for this to work, and 'fixup gre' if it lets you.

Author Comment

ID: 12067566
The command 'fixup pptp' does not exist, but the command 'fixup protocol pptp 1723' taken (from LimeSMJ's url link) is valid and now everything is working!  I wonder what the 'fixup' command is doing?  I know of another PIX firewall at a different location that does not have this command, and VPN using pptp works just fine over there...
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 250 total points
ID: 12072322
Sorry - am doing this from memory !
The official link is here:

fixup pptp only came to be in PIX v6.3 - the other PIX you're talking about probably doesn't have this code release yet.

Accepted Solution

LimeSMJ earned 250 total points
ID: 12072449
The 'fixup protocol' command is just mapping for the ASA to allow the specified application protocol(s) to the port number(s) defined.

In your case, the port for the pptp is not open by default so any pptp connection requests were denied.  By running the 'fixup protocol pptp 1723' command, you are now allowing pptp traffic to use port 1723 in the PIX.  If in the future you want to close this application port up again, just type 'no fixup protocol pptp 1723' and the PIX will block those packets again.

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Block unwanted websites & monitor visited 8 90
can't ping datacenter from only one server in office 10 78
FortiGate - Unable to delete Traffic Shaper 2 78
Firewall attack 16 191
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question