PPTP VPN Problem when using port forwarding

Posted on 2005-05-16
Last Modified: 2013-11-16
We recently had someone come in to help setup our Exchange server. He made some modifications to our PIX firewall and now our VPN doesn't work. We used to have the following for this:
 access-list inbound permit tcp any host eq pptp
 access-list inbound permit tcp any host eq 1701
 access-list inbound permit gre any host
 static(inside, outside) netmask 0 0

which translated all traffic coming to .150 to the internal server. He changed it to do port forwarding on specific ports to the server. The new configuration is
static (inside,outside) tcp interface smtp smtp netmask 0 0
static (inside,outside) tcp interface https https netmask 0 0

After he did this, the pptp VPN no longer worked. I added
static (inside,outside) tcp interface pptp pptp netmask 0 0
and was able to get further, but it still won't complete authentication without the gre being forwarded. Am I going to have to remove port forwarding and just forward all traffic to the server to get this to work. I noticed that you can only do port forwarding on tpc and upd, gre isn't allowed. Is there another way around this?

Question by:patrickmulcahy
    LVL 79

    Accepted Solution

    Someone screwed you over...
    PPTP requires a 1-1 static NAT as you had it.
    The VPN server is also the Exchange Server??

    You have to keep this:
     static(inside, outside) netmask 0 0

    Add these entries to the acl
     access-list inbound permit tcp any host eq pptp
     access-list inbound permit tcp any host eq 1701
     access-list inbound permit gre any host
     access-list inbound permit tcp any host eq smtp
     access-list inbound permit tcp any host eq https

    Your MX records must point to

    LVL 79

    Expert Comment

    You can try enabling fixup pptp
      fixup protocol pptp 1723

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Suggested Solutions

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now