Enable VPN pass-through PIX 501

Hi guys, I am looking to set up a VPN at work and am running into problems.  
I want to use PPTP.
I am using Small Business Server 2000 with Routing and Remote Access enabled.  
I want to connect via Windows built-in connection.
As it stands now I can connect to the VPN via one of our laptops if I use the internal IP addy of the server.  (doesnt pass through the PIX?) however if I specify our external public IP it gives me an error 678 unable to locate the server.  (the PIX is doing its job?)  
I need help guys and any questions I can answer I will!!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Do you have the PIX setup with access lists on the outside interface to allow port 1723 and gre into the network from the outside?  If you post your PIX config it may make this much easier.  Remember to blank out your outside IP addresses
its very simple go to PDM web based interface of PIX

go to system properties click advanced and then you will find there somewhere pptp or 1723 just fixup pptp protocol.

it should work

u can alternatively try using this command

pixfirewall(config)#fixup protocol pptp 1723

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

xfungalxAuthor Commented:
I have since enabled the pptp protocol and now from home the error I am recieving is "The ppp control link was terminated" So I think I made it throught the firewall but now am having this issue.  If I change the protocol to a different one I will get the error "The server and client could not agree on a pptp protocol" or something like that.  
I feel I am getting closer to the answer but not quite there.  I am going out of town later this week and really want to have it working for that.  Thanks for the help thus far guys :)

: Saved
: Written by enable_15 at 07:51:48.646 UTC Thu Nov 18 2004
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password GbuXKeAslJqJMx9E encrypted
passwd 92wBVddXfkuIooWF encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list allow-in permit icmp any any echo-reply
access-list allow-in permit icmp any any time-exceeded
access-list allow-in permit icmp any any source-quench
access-list allow-in permit icmp any any unreachable
access-list allow-in permit tcp any host eq www
access-list allow-in permit tcp any host eq smtp
access-list nonat permit ip
pager lines 24
logging on
logging trap informational
logging facility 19
logging host inside 17/1514
no logging message 106015
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx
ip address inside xxx.xxx.xxx.xxx
ip audit info action alarm
ip audit attack action alarm
ip local pool medi-stim
pdm location xxx.xxx.xxx.xxx inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
static (inside,outside) tcp smtp xxx.xxx.xxx.xxx smtp netmask 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx www xxx.xxx.xxx.xxx www netmask 0 0
access-group allow-in in interface outside
route outside xxx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host xxx.xxx.xxx.xxx WinRadius timeout 10
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside //bio1
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set rtptac esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set rtptac
crypto map rtprules 20 ipsec-isakmp dynamic dynmap
crypto map rtprules interface outside
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 7200
vpngroup vpn-in address-pool medi-stim
vpngroup vpn-in dns-server xxx.xxx.xxx.xxx
vpngroup vpn-in idle-time 7200
vpngroup vpn-in password 43he@rt!
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
vpnclient server xxx.xxx.xxx.xxx
vpnclient mode client-mode
vpnclient vpngroup vpn-in password 43he@rt!
terminal width 80
: end

xfungalxAuthor Commented:
I am now able to connect in a sense.  If a remote user connects I can see them connected on the PIX but I cannot see them connected to the server.  They are given an IP addy that I specified for VPN'rs however they cannot see anything on the network, nor can they ping anything.  Why isnt the PIX pushing them through to the RAS.
I can smell the cheeze at the end of the maze but I need some help getting to it.  Any help is greatly appreciated!  Thanks.
Ok here's what I'm seeing.  You'll need access lists to allow in PPTP and GRE to get the VPN to pass through properly.  This link should give you all of the commands.


Also since your statics are limited to SMTP and WWW you may have to make one that allows PPTP as well.  Try these out and let us know how it goes.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ok i will give you the exact steps in PDM the best and easiest way around

open PDM goto CONFIGURATION then SYSTEM PROPERTIES then ADVANCED on the left and then FIXUP then PPTP try this this should solve the issue without using commands etc if your not comfortable with console
xfungalxAuthor Commented:
Thanks so much for all the help :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.