Cisco PIX506e...connecting to outside VPN...

Posted on 2006-06-29
Last Modified: 2012-05-05
I have little working knowledge on Cisco firewalls, so answer accordingly please.  In order for a user to access a VPN on an external network from ours, what needs to be opened up on our PIX firewall?  Somone told me to make sure PPTP and SIP were enabled.  I see some settings related to PPTP, but I thought any modifications to those were related to incoming traffic.  Thank you!
Question by:AConover
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 11

Assisted Solution

prueconsulting earned 70 total points
ID: 17013071
it depends on the type of VPN

but typically adding the following will allow most VPN connections to work

# to Allow PPTP
fixup protocol pptp 1723
sysopt connection permit-pptp  

# to allow NAT traversal for IPSec

isakmp nat-traversal 20
LVL 19

Expert Comment

ID: 17014463
Re pptp it depends on your OS version.  The fixup above fixes the issue of pptp outbound when using PAT.  This fixup is only in 6.3(3) or later but the 6.3(3) version has a bug in it and it is recommended to go to 6.3(5)

If you have an earlier software release and do not have the CCO to download new images you need to create a static nat and allow gre traffic back to the translated host from the pptp public ip.  See here for details of how to configure this:


Author Comment

ID: 17017175
The Version is 6.3(3)
Pardon my ignorance on the subject, but I only know how to make some modifications via the GUI.  I need more guidance on making command line changes (not even sure how to log into it through command line).  PPTP and SIP need to be enabled.  Thanks for your help so far!
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

LVL 19

Accepted Solution

nodisco earned 80 total points
ID: 17017347
First of all--------------------------
To use the CLI:
The first step is to connect the firewall to a PC so that you can begin the configuration. This is done via the blue console cable that comes with the firewall. Plug one end into the console port on the back of the firewall and the other end to a serial port on a PC. You can use hyperterminal or another terminal emulator program to connect to the firewall.
The terminal settings are:

9600 bps

8 data bits

No parity

1 stop bit
No flow control

Once the firewall is connected to the PC and the emulation software is running press enter several times to bring up the login prompt which will look like this:
At the prompt type enable and press enter. You will be prompted for a password. The initial password for all PIX firewalls is blank so just press enter and you will get the enable prompt:
Type configure term and hit enter

If you have Cisco CCO you can upgrade your PIX to 6.3(5) and use the fixup for pptp protocol support - this is definetly the preferred option.
fixup protocol pptp 1723

Although this is included in 6.3(3) there is a bug in it and it does not always work correctly.  If you cannot upgrade - do the following:

pixfirewall(config)#static (inside,outside) [spare public ip] [inside ip]  netmask
pixfirewall(config)#access-list acl-out permit gre host [public ip of pptp server]  host [spare public ip]
pixfirewall(config)#access-group acl-out in interface outside

In this example you are translating your pc inside [inside ip] that you want to use pptp client  - to a spare public ip on the PIX.  You are then allowing pptp traffic come in from the pptp server to this host.

Note - this example is using an access-list called acl-out.  If you have a different access-list currently applied to your outside interface, do not use the one above.  Replace "acl-out" with the name of your current access-list.  that way you will be adding these lines to the access-list rather than disabling what is currently in use.  

I understand there is a lot in this - feel free to ask if this is not clear



Author Comment

ID: 17017514
I was able to establish a telnet session with the PIX.  I completed the first command "fixup protocol pptp 1723" and did not receive any errors.  I'm waiting for the user to arrive for testing.

I don't have a CCO, I think we did at one point but it has since expired.  The second (alternative step) seems a bit confusing.  I don't have an extra spare Pubic IP.  Hopefully the first option works.  No other steps are required with that command?

Author Comment

ID: 17017550
Addendum to my last post:

According to the link you sent me before:

For version 6.3(3) I need to enter do this as well??:

     Commands to Add for Version 6.3
     Complete these steps to add commands for version 6.3:

     Enable the fixup protocol pptp 1723 using this command.

     pixfirewall(config)#fixup protocol pptp 1723
     You do not need to define a static mapping because the PPTP fixup protocol is enabled. You can use PAT.

     pixfirewall(config)#nat (inside) 1 0 0

     pixfirewall(config)#global (outside) 1 interface

LVL 19

Expert Comment

ID: 17017600
the nat and global commands are not necessary per the example - they just show how the pptp works in this situation.  You will already have nat and global commands of some description configured.  

the fixup for pptp was introduced in 6.3(3).  There are bugs in it that were fixed in 6.3(4).  Just an FYI that you may experience trouble with it.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question