[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 250
  • Last Modified:

Enable VPN pass-through PIX 501

Hi guys, I am looking to set up a VPN at work and am running into problems.  
I want to use PPTP.
I am using Small Business Server 2000 with Routing and Remote Access enabled.  
I want to connect via Windows built-in connection.
As it stands now I can connect to the VPN via one of our laptops if I use the internal IP addy of the server.  (doesnt pass through the PIX?) however if I specify our external public IP it gives me an error 678 unable to locate the server.  (the PIX is doing its job?)  
I need help guys and any questions I can answer I will!!
  • 3
  • 3
  • 2
1 Solution
Do you have the PIX setup with access lists on the outside interface to allow port 1723 and gre into the network from the outside?  If you post your PIX config it may make this much easier.  Remember to blank out your outside IP addresses
its very simple go to PDM web based interface of PIX

go to system properties click advanced and then you will find there somewhere pptp or 1723 just fixup pptp protocol.

it should work

u can alternatively try using this command

pixfirewall(config)#fixup protocol pptp 1723

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

xfungalxAuthor Commented:
I have since enabled the pptp protocol and now from home the error I am recieving is "The ppp control link was terminated" So I think I made it throught the firewall but now am having this issue.  If I change the protocol to a different one I will get the error "The server and client could not agree on a pptp protocol" or something like that.  
I feel I am getting closer to the answer but not quite there.  I am going out of town later this week and really want to have it working for that.  Thanks for the help thus far guys :)

: Saved
: Written by enable_15 at 07:51:48.646 UTC Thu Nov 18 2004
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password GbuXKeAslJqJMx9E encrypted
passwd 92wBVddXfkuIooWF encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list allow-in permit icmp any any echo-reply
access-list allow-in permit icmp any any time-exceeded
access-list allow-in permit icmp any any source-quench
access-list allow-in permit icmp any any unreachable
access-list allow-in permit tcp any host eq www
access-list allow-in permit tcp any host eq smtp
access-list nonat permit ip
pager lines 24
logging on
logging trap informational
logging facility 19
logging host inside 17/1514
no logging message 106015
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx
ip address inside xxx.xxx.xxx.xxx
ip audit info action alarm
ip audit attack action alarm
ip local pool medi-stim
pdm location xxx.xxx.xxx.xxx inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
static (inside,outside) tcp smtp xxx.xxx.xxx.xxx smtp netmask 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx www xxx.xxx.xxx.xxx www netmask 0 0
access-group allow-in in interface outside
route outside xxx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host xxx.xxx.xxx.xxx WinRadius timeout 10
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside //bio1
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set rtptac esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set rtptac
crypto map rtprules 20 ipsec-isakmp dynamic dynmap
crypto map rtprules interface outside
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 7200
vpngroup vpn-in address-pool medi-stim
vpngroup vpn-in dns-server xxx.xxx.xxx.xxx
vpngroup vpn-in idle-time 7200
vpngroup vpn-in password 43he@rt!
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
vpnclient server xxx.xxx.xxx.xxx
vpnclient mode client-mode
vpnclient vpngroup vpn-in password 43he@rt!
terminal width 80
: end

xfungalxAuthor Commented:
I am now able to connect in a sense.  If a remote user connects I can see them connected on the PIX but I cannot see them connected to the server.  They are given an IP addy that I specified for VPN'rs however they cannot see anything on the network, nor can they ping anything.  Why isnt the PIX pushing them through to the RAS.
I can smell the cheeze at the end of the maze but I need some help getting to it.  Any help is greatly appreciated!  Thanks.
Ok here's what I'm seeing.  You'll need access lists to allow in PPTP and GRE to get the VPN to pass through properly.  This link should give you all of the commands.


Also since your statics are limited to SMTP and WWW you may have to make one that allows PPTP as well.  Try these out and let us know how it goes.
ok i will give you the exact steps in PDM the best and easiest way around

open PDM goto CONFIGURATION then SYSTEM PROPERTIES then ADVANCED on the left and then FIXUP then PPTP try this this should solve the issue without using commands etc if your not comfortable with console
xfungalxAuthor Commented:
Thanks so much for all the help :)

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now