Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 506E PPTP 1

Status
Not open for further replies.
tsap

tsap

IS-IT--Management
Apr 19, 2005
69
CA
OK here's the setup.

I have a Windows 2000 PPTP server and a PIX 506E on the inside network. I have a client that needs to connect to the server via pptp vpn outside of the network. I only have 1 public address at each location.


So here's the numbers:

Windows 2000 PPTP Server:

inside: 192.168.111.100
outside: 34.34.34.50

PPTP Client:

outside: 34.34.34.55


I have looked at the cisco help site and found this to be what I think I need. But I only have 1 public address, So I need a way of setting this up so it points to the ports it needs to pass-though.


access-list acl-out permit gre host 34.34.34.55 host 34.34.34.50
access-list acl-out permit tcp host 34.34.34.55 host 34.34.34.50 eq 1723
static (inside,outside) 34.34.34.50 192.168.111.100 netmask 255.255.255.255 0 0
access-group acl-out in interface outside


 
Sort by date Sort by votes
Your static map seems to be correct, and if TCP 1723 and GRE are all PPTP requires than that seems correct as well.

I'm not a PPTP expert, so I can't verifiy your ACL is right. Do you see anything being blocked by your ACL in your logs when the client is trying to connect ("show log" if logging is on ["logging on" and "logging buffered informational" to turn it on])? You can also try just allowing IP from .55 to .50 and seeing if that works. If it does, sniff to see what additional ports are required. If not, try to ping .50 from .55 to make sure the static map is correct. If you have another PPTP server, see if .55 is able to connect to it. ISPs can block this type of traffic. You can also try to connect another PPTP client to .50
 
Upvote 0 Downvote
Well I've use that setup and the access rules seem good, but on the NAT side it just maps my inside ip to my outside ip. It has no ports mapped with NAT. I think that's where my problem is. I don't want how to mapp the gre and pptp ports with NAT.
 
Upvote 0 Downvote
Try add fixup protocol pptp 1723

And with one public ip you need to change the static statement.

static (inside,outside) tcp publicIP 1723 privateIP 1723

That should be enough. And as jjoh850 says. Check to see that no acl are restricting traffic.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
198
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
253
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
406
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
190
quazimotto
quazimotto
hall5942
  • Locked
  • Question
Site to Site VPN with Cisco 881 and PIX
Replies
0
Views
171
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top