Windows 2003 PPTP VPN through PIX 506e

Posted on 2006-06-07
Last Modified: 2013-11-16
I have a PIX 506e firewall that appears to be blocking our VPN connections despite having the appropriate ports opened.  

I'm able to connect to the VPN through the LAN, but am unable to connect from the outside.  When I attempt to connect, I get an error 678.  Here is the running-config lines for the VPN pass-through:

fixup protocol pptp 1723
no names
access-list 101 permit tcp any host eq pptp
access-list 101 permit gre any host
static (inside,outside) tcp pptp yyy.yyy.yyy.yyy pptp netmask 0 0
access-group 101 in interface outside

Am I missing something?  Is the PIX 506e capable of handling this?   Also, I have previously used the Cisco 506e built-in VPN client but have since added 30 additional VPN users through various sales sites.  Do I need to remove the Cisco VPN config first?  Is that in any way hindering the PPTP traffic to the Windows 2003 server?

Thanks in advance,

Question by:krais99
    LVL 79

    Expert Comment

    >static (inside,outside) tcp pptp yyy.yyy.yyy.yyy pptp netmask
    The only way you can have a PPTP server inside your PIX is to have a static 1-1 nat address.
    You need another public IP address other than the one assigned to your outside interface. Then create a static nat
      static (inside,outside) yy.yy.yy.yy netmask
    Change your access-list host to

    There is nothing else in the PIX config that you have to change. The Fixup is for internal clients going out to an external VPN server to guide the GRE back in. It does not work the other way with the server inside and clients outside.
    LVL 2

    Author Comment

    Sorry, I forgot to mention that..  my IP's are setup: = external IP of the firewall = mail = citrix = vpn
    LVL 79

    Accepted Solution

    OK, then  just setup the static

    no static (inside,outside) tcp pptp yyy.yyy.yyy.yyy pptp netmask
    clear xlate
    static (inside,outside) yy.yy.yy.yy netmask
    LVL 2

    Author Comment

    Perfect.  Tested and works fine.  

    On a side note to this, is it better to just do a 1-1 static IP map and open ports as needed, or do a 1-1 static IP with ports?  ie:
    static (inside,outside) tcp smtp yyy.yyy.yyy.yy1 smtp netmask
    LVL 79

    Expert Comment

    You can't do a port static because GRE does not have ports and the only way to handle it is with a 1-1 IP map.
    Almost everything else you can do with simple port statics.
    My personal preference would be to use port statics where I can and 1-1 when I have to.
    Combine the port static with the acl and you're about as good as it gets.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now