[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Windows 2003 PPTP VPN through PIX 506e

Posted on 2006-06-07
Medium Priority
Last Modified: 2013-11-16
I have a PIX 506e firewall that appears to be blocking our VPN connections despite having the appropriate ports opened.  

I'm able to connect to the VPN through the LAN, but am unable to connect from the outside.  When I attempt to connect, I get an error 678.  Here is the running-config lines for the VPN pass-through:

fixup protocol pptp 1723
no names
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq pptp
access-list 101 permit gre any host xxx.xxx.xxx.xxx
static (inside,outside) tcp xxx.xxx.xxx.xxx pptp yyy.yyy.yyy.yyy pptp netmask 0 0
access-group 101 in interface outside

Am I missing something?  Is the PIX 506e capable of handling this?   Also, I have previously used the Cisco 506e built-in VPN client but have since added 30 additional VPN users through various sales sites.  Do I need to remove the Cisco VPN config first?  Is that in any way hindering the PPTP traffic to the Windows 2003 server?

Thanks in advance,

Question by:krais99
  • 3
  • 2
LVL 79

Expert Comment

ID: 16857940
>static (inside,outside) tcp xxx.xxx.xxx.xxx pptp yyy.yyy.yyy.yyy pptp netmask
The only way you can have a PPTP server inside your PIX is to have a static 1-1 nat address.
You need another public IP address other than the one assigned to your outside interface. Then create a static nat
  static (inside,outside) xxx.xxx.xx.xx2 yy.yy.yy.yy netmask
Change your access-list host xxx.xxx.xxx.xxx to xxx.xxx.xx.xx2

There is nothing else in the PIX config that you have to change. The Fixup is for internal clients going out to an external VPN server to guide the GRE back in. It does not work the other way with the server inside and clients outside.

Author Comment

ID: 16857965
Sorry, I forgot to mention that..  my IP's are setup:

xxx.xxx.xxx.xx1 = external IP of the firewall
xxx.xxx.xxx.xx2 = mail
xxx.xxx.xxx.xx3 = citrix
xxx.xxx.xxx.xx4 = vpn
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 16858072
OK, then  just setup the static

no static (inside,outside) tcp xxx.xxx.xxx.xxx pptp yyy.yyy.yyy.yyy pptp netmask
clear xlate
static (inside,outside) xxx.xxx.xxx.xx4 yy.yy.yy.yy netmask

Author Comment

ID: 16861329
Perfect.  Tested and works fine.  

On a side note to this, is it better to just do a 1-1 static IP map and open ports as needed, or do a 1-1 static IP with ports?  ie:
static (inside,outside) tcp xxx.xxx.xxx.xx2 smtp yyy.yyy.yyy.yy1 smtp netmask
LVL 79

Expert Comment

ID: 16865892
You can't do a port static because GRE does not have ports and the only way to handle it is with a 1-1 IP map.
Almost everything else you can do with simple port statics.
My personal preference would be to use port statics where I can and 1-1 when I have to.
Combine the port static with the acl and you're about as good as it gets.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 21 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question