[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Cisco PIX506e...connecting to outside VPN...

Posted on 2006-06-29
Medium Priority
Last Modified: 2012-05-05
I have little working knowledge on Cisco firewalls, so answer accordingly please.  In order for a user to access a VPN on an external network from ours, what needs to be opened up on our PIX firewall?  Somone told me to make sure PPTP and SIP were enabled.  I see some settings related to PPTP, but I thought any modifications to those were related to incoming traffic.  Thank you!
Question by:AConover
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 11

Assisted Solution

prueconsulting earned 280 total points
ID: 17013071
it depends on the type of VPN

but typically adding the following will allow most VPN connections to work

# to Allow PPTP
fixup protocol pptp 1723
sysopt connection permit-pptp  

# to allow NAT traversal for IPSec

isakmp nat-traversal 20
LVL 19

Expert Comment

ID: 17014463
Re pptp it depends on your OS version.  The fixup above fixes the issue of pptp outbound when using PAT.  This fixup is only in 6.3(3) or later but the 6.3(3) version has a bug in it and it is recommended to go to 6.3(5)

If you have an earlier software release and do not have the CCO to download new images you need to create a static nat and allow gre traffic back to the translated host from the pptp public ip.  See here for details of how to configure this:


Author Comment

ID: 17017175
The Version is 6.3(3)
Pardon my ignorance on the subject, but I only know how to make some modifications via the GUI.  I need more guidance on making command line changes (not even sure how to log into it through command line).  PPTP and SIP need to be enabled.  Thanks for your help so far!

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 19

Accepted Solution

nodisco earned 320 total points
ID: 17017347
First of all--------------------------
To use the CLI:
The first step is to connect the firewall to a PC so that you can begin the configuration. This is done via the blue console cable that comes with the firewall. Plug one end into the console port on the back of the firewall and the other end to a serial port on a PC. You can use hyperterminal or another terminal emulator program to connect to the firewall.
The terminal settings are:

9600 bps

8 data bits

No parity

1 stop bit
No flow control

Once the firewall is connected to the PC and the emulation software is running press enter several times to bring up the login prompt which will look like this:
At the prompt type enable and press enter. You will be prompted for a password. The initial password for all PIX firewalls is blank so just press enter and you will get the enable prompt:
Type configure term and hit enter

If you have Cisco CCO you can upgrade your PIX to 6.3(5) and use the fixup for pptp protocol support - this is definetly the preferred option.
fixup protocol pptp 1723

Although this is included in 6.3(3) there is a bug in it and it does not always work correctly.  If you cannot upgrade - do the following:

pixfirewall(config)#static (inside,outside) [spare public ip] [inside ip]  netmask
pixfirewall(config)#access-list acl-out permit gre host [public ip of pptp server]  host [spare public ip]
pixfirewall(config)#access-group acl-out in interface outside

In this example you are translating your pc inside [inside ip] that you want to use pptp client  - to a spare public ip on the PIX.  You are then allowing pptp traffic come in from the pptp server to this host.

Note - this example is using an access-list called acl-out.  If you have a different access-list currently applied to your outside interface, do not use the one above.  Replace "acl-out" with the name of your current access-list.  that way you will be adding these lines to the access-list rather than disabling what is currently in use.  

I understand there is a lot in this - feel free to ask if this is not clear



Author Comment

ID: 17017514
I was able to establish a telnet session with the PIX.  I completed the first command "fixup protocol pptp 1723" and did not receive any errors.  I'm waiting for the user to arrive for testing.

I don't have a CCO, I think we did at one point but it has since expired.  The second (alternative step) seems a bit confusing.  I don't have an extra spare Pubic IP.  Hopefully the first option works.  No other steps are required with that command?

Author Comment

ID: 17017550
Addendum to my last post:

According to the link you sent me before:

For version 6.3(3) I need to enter do this as well??:

     Commands to Add for Version 6.3
     Complete these steps to add commands for version 6.3:

     Enable the fixup protocol pptp 1723 using this command.

     pixfirewall(config)#fixup protocol pptp 1723
     You do not need to define a static mapping because the PPTP fixup protocol is enabled. You can use PAT.

     pixfirewall(config)#nat (inside) 1 0 0

     pixfirewall(config)#global (outside) 1 interface

LVL 19

Expert Comment

ID: 17017600
the nat and global commands are not necessary per the example - they just show how the pptp works in this situation.  You will already have nat and global commands of some description configured.  

the fixup for pptp was introduced in 6.3(3).  There are bugs in it that were fixed in 6.3(4).  Just an FYI that you may experience trouble with it.


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question