Eric, To get PPTP to work with PAT, you need to play with it like you do with IPSec. Check out: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_examp le09186a00800949c0.shtml You need to statically map TCP 1723 on the outside to your inside PC, same port. At one time I thought it needed GRE, but I don't see it listed on that doc. HTH.
Chuck Church CCIE #8776, MCNE, MCSE ----- Original Message ----- From: "Neil Moore" To: "eric nguyen" ; ; Sent: Friday, December 20, 2002 5:58 PM Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT > Its all broken... I will give you 500 bux for that pix ..no problem! > ---------------------------------------- > Neil Moore CCIE#10044 > ----- Original Message ----- > From: "eric nguyen" > To: ; > Sent: Friday, December 20, 2002 4:47 PM > Subject: problem with initiating PPTP connection behind a Pix Firewall via > PAT > > > > I just replace my home linux "iptables" firewall fwith a "franken" pix > firewall > > > > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > > > > My internal network is 172.16.1.0/24 with the "inside" interface of the > firewall is > > > > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. I > also have > > > > a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254. > Machines > > > > on both the "inside" and "dmz" access the Internet via Port Address > Translation > > > > (PAT) to the "outside" interface and it seems to work OK. On the "inside" > network, > > > > I have a Websense filter server (IP 172.16.1.2) to do url filtering for > both the "inside" > > > > and "outside" interface. I use Websense server to filter out traffics > that I don't want > > > > my children to see. Everything is working great with a minor exception: > > > > I need to make a PPTP connection from a laptop on the "inside" network (IP > > > > 172.16.1.100) to a PPTP server at my work place. The problem is that the > > > > connection keeps timing out. The connection time out at the "verify > username and > > > > password". To make sure that this is not a problem with my laptop, I hook > my > > > > laptop directly to the cable modem (I have roadrunner). Since my laptop > has a valid > > > > external IP address, PPTP works. If I place the laptop on the "inside" > network > > > > behind the "franken" pix, PPTP doesn't work. I even make the firewall > "wide-open" for > > > > both inbound and outbound and it still doesn't work. Now if I replace the > "franken" > > > > pix firewall with a linux firewall, PPTP works just fine through IP > masquerading which > > > > is equivalent to PAT. > > > > My question is this: has anyone been able to successfully initiate a PPTP > > > > from behind a Pix firewall via Port Address Translation (PAT)? Does it > even work > > > > at all with PAT? I am starting to have serious doubt with Cisco Pix > firewall. It costs > > > > me $500 to build this "franken" pix firewall. With the CPU, memory and > flash, this > > > > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit > Interface) and it can > > > > not even do a simple thing like allowing PPTP through PAT. My linux > firewall is > > > > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine, and > it > > > > costs me $20 for that old system. > > > > I think PPTP will work with static NAT but I don't have an extra public IP > to spare. > > > > If anyone has PPTP works through PAT, please reply. Thanks. > > > > Eric. > > > > Here is my Pix configuration > > > > HERNDON-PIX# wr t > > > > Building configuration... > > > > : Saved > > > > : > > > > PIX Version 6.2(2) > > > > nameif ethernet0 outside security0 > > > > nameif ethernet1 inside security100 > > > > nameif ethernet2 dmz security99 > > > > nameif ethernet3 dmz2 security98 > > > > enable password ***************** encrypted > > > > passwd ********************* encrypted > > > > hostname HOME-PIX > > > > domain-name home.com > > > > clock timezone est -5 > > > > clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00 > > > > fixup protocol ftp 21 > > > > fixup protocol http 80 > > > > fixup protocol h323 h225 1720 > > > > fixup protocol h323 ras 1718-1719 > > > > fixup protocol ils 389 > > > > fixup protocol rsh 514 > > > > fixup protocol rtsp 554 > > > > fixup protocol smtp 25 > > > > fixup protocol sqlnet 1521 > > > > fixup protocol sip 5060 > > > > fixup protocol skinny 2000 > > > > names > > > > access-list compiled > > > > access-list 100 permit icmp any any > > > > access-list 100 permit ip any any > > > > access-list 100 permit gre any any > > > > access-list 101 permit ip any any > > > > access-list 101 permit icmp any any > > > > access-list 101 permit gre any any > > > > access-list 200 permit ip any any > > > > access-list 200 permit icmp any any > > > > access-list 200 permit gre any any > > > > pager lines 24 > > > > logging on > > > > logging timestamp > > > > logging monitor debugging > > > > logging trap notifications > > > > logging facility 23 > > > > logging queue 1024 > > > > logging host inside 172.16.1.2 > > > > interface ethernet0 auto > > > > interface ethernet1 100full > > > > interface ethernet2 100full > > > > interface ethernet3 100full shutdown > > > > mtu outside 1500 > > > > mtu inside 1500 > > > > mtu dmz 1500 > > > > mtu dmz2 1500 > > > > ip address outside 4.64.1.100 255.255.252.0 > > > > ip address inside 172.16.1.254 255.255.255.0 > > > > ip address dmz 172.17.1.254 255.255.255.0 > > > > ip address dmz2 127.0.0.1 255.255.255.255 > > > > ip verify reverse-path interface outside > > > > ip verify reverse-path interface inside > > > > ip audit name inside-attack attack action alarm > > > > ip audit name inside-info info action alarm > > > > ip audit interface outside inside-info > > > > ip audit interface outside inside-attack > > > > ip audit interface inside inside-info > > > > ip audit interface inside inside-attack > > > > ip audit info action alarm > > > > ip audit attack action alarm > > > > no failover > > > > failover timeout 0:00:00 > > > > failover poll 15 > > > > failover ip address outside 0.0.0.0 > > > > failover ip address inside 0.0.0.0 > > > > failover ip address dmz 0.0.0.0 > > > > failover ip address dmz2 0.0.0.0 > > > > pdm history enable > > > > arp timeout 14400 > > > > global (outside) 1 interface > > > > nat (inside) 1 172.16.1.0 255.255.255.0 0 0 > > > > nat (dmz) 1 172.17.1.0 255.255.255.0 0 0 > > > > static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0 > > > > access-group 100 in interface outside > > > > access-group 101 in interface inside > > > > access-group 200 in interface dmz > > > > route outside 0.0.0.0 0.0.0.0 4.64.1.1 1 > > > > timeout xlate 3:00:00 > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 sip 0:30:00 sip_media 0:02:00 > > > > timeout uauth 0:05:00 absolute > > > > aaa-server TACACS+ protocol tacacs+ > > > > aaa-server RADIUS protocol radius > > > > aaa-server LOCAL protocol local > > > > url-server (inside) vendor websense host 172.16.1.2 timeout 5 protocol TCP > version 1 > > > > filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 > > > > ntp server 4.2.2.2 source outside > > > > ntp server 172.16.1.2 source inside > > > > http server enable > > > > http 0.0.0.0 0.0.0.0 outside > > > > http 0.0.0.0 0.0.0.0 inside > > > > snmp-server host inside 172.16.1.2 > > > > snmp-server location Home > > > > snmp-server contact Eric Nguyen > > > > snmp-server community home > > > > snmp-server enable traps > > > > tftp-server inside 172.16.1.2 / > > > > floodguard enable > > > > no sysopt route dnat > > > > telnet 0.0.0.0 0.0.0.0 inside > > > > telnet timeout 60 > > > > ssh 0.0.0.0 0.0.0.0 outside > > > > ssh 0.0.0.0 0.0.0.0 inside > > > > ssh timeout 60 > > > > terminal width 80 > > > > Cryptochecksum:9ccb719c169af814515292a4bf0a9023 > > > > : end > > > > [OK] > > > > HERNDON-PIX# > > > > > > > > --------------------------------- > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59663&t=59663 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]