Eric, According to Cisco's recomendations you should do following steps:
1. Create static address translation for your laptop: static (inside,outside) netmask 255.255.255.255 0 0 2. Configure access-list to permit GRE (you have it enabled for ALLALL, but it may be better idea to permit only for specific hosts: access-list acl-out permit gre host host 3. Apply Access-List to Interface (you have it done). access-group acl-out in interface outside So, all what you should do - create static NAT Translation for your laptop. Good luck, Michael Shavrov ----- Original Message ----- From: "eric nguyen" To: ; Sent: Friday, December 20, 2002 4:47 PM Subject: problem with initiating PPTP connection behind a Pix Firewall via PAT > I just replace my home linux "iptables" firewall fwith a "franken" pix firewall > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > My internal network is 172.16.1.0/24 with the "inside" interface of the firewall is > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. I also have > a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254. Machines > on both the "inside" and "dmz" access the Internet via Port Address Translation > (PAT) to the "outside" interface and it seems to work OK. On the "inside" network, > I have a Websense filter server (IP 172.16.1.2) to do url filtering for both the "inside" > and "outside" interface. I use Websense server to filter out traffics that I don't want > my children to see. Everything is working great with a minor exception: > I need to make a PPTP connection from a laptop on the "inside" network (IP > 172.16.1.100) to a PPTP server at my work place. The problem is that the > connection keeps timing out. The connection time out at the "verify username and > password". To make sure that this is not a problem with my laptop, I hook my > laptop directly to the cable modem (I have roadrunner). Since my laptop has a valid > external IP address, PPTP works. If I place the laptop on the "inside" network > behind the "franken" pix, PPTP doesn't work. I even make the firewall "wide-open" for > both inbound and outbound and it still doesn't work. Now if I replace the "franken" > pix firewall with a linux firewall, PPTP works just fine through IP masquerading which > is equivalent to PAT. > > My question is this: has anyone been able to successfully initiate a PPTP > from behind a Pix firewall via Port Address Translation (PAT)? Does it even work > at all with PAT? I am starting to have serious doubt with Cisco Pix firewall. It costs > me $500 to build this "franken" pix firewall. With the CPU, memory and flash, this > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit Interface) and it can > not even do a simple thing like allowing PPTP through PAT. My linux firewall is > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine, and it > costs me $20 for that old system. > I think PPTP will work with static NAT but I don't have an extra public IP to spare. > If anyone has PPTP works through PAT, please reply. Thanks. > > Eric. > > Here is my Pix configuration > > HERNDON-PIX# wr t > Building configuration... > : Saved > : > PIX Version 6.2(2) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security99 > nameif ethernet3 dmz2 security98 > enable password ***************** encrypted > passwd ********************* encrypted > > hostname HOME-PIX > domain-name home.com > > clock timezone est -5 > clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00 > > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol ils 389 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > > names > > access-list compiled > access-list 100 permit icmp any any > access-list 100 permit ip any any > access-list 100 permit gre any any > > access-list 101 permit ip any any > access-list 101 permit icmp any any > access-list 101 permit gre any any > > access-list 200 permit ip any any > access-list 200 permit icmp any any > access-list 200 permit gre any any > > pager lines 24 > > logging on > logging timestamp > logging monitor debugging > logging trap notifications > logging facility 23 > logging queue 1024 > logging host inside 172.16.1.2 > > interface ethernet0 auto > interface ethernet1 100full > interface ethernet2 100full > interface ethernet3 100full shutdown > > mtu outside 1500 > mtu inside 1500 > mtu dmz 1500 > mtu dmz2 1500 > ip address outside 4.64.1.100 255.255.252.0 > ip address inside 172.16.1.254 255.255.255.0 > ip address dmz 172.17.1.254 255.255.255.0 > ip address dmz2 127.0.0.1 255.255.255.255 > ip verify reverse-path interface outside > ip verify reverse-path interface inside > ip audit name inside-attack attack action alarm > ip audit name inside-info info action alarm > ip audit interface outside inside-info > ip audit interface outside inside-attack > ip audit interface inside inside-info > ip audit interface inside inside-attack > ip audit info action alarm > ip audit attack action alarm > > no failover > failover timeout 0:00:00 > failover poll 15 > failover ip address outside 0.0.0.0 > failover ip address inside 0.0.0.0 > failover ip address dmz 0.0.0.0 > failover ip address dmz2 0.0.0.0 > > pdm history enable > arp timeout 14400 > global (outside) 1 interface > nat (inside) 1 172.16.1.0 255.255.255.0 0 0 > nat (dmz) 1 172.17.1.0 255.255.255.0 0 0 > static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0 > access-group 100 in interface outside > access-group 101 in interface inside > access-group 200 in interface dmz > route outside 0.0.0.0 0.0.0.0 4.64.1.1 1 > > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > aaa-server LOCAL protocol local > url-server (inside) vendor websense host 172.16.1.2 timeout 5 protocol TCP version 1 > filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 > ntp server 4.2.2.2 source outside > ntp server 172.16.1.2 source inside > http server enable > http 0.0.0.0 0.0.0.0 outside > > http 0.0.0.0 0.0.0.0 inside > > snmp-server host inside 172.16.1.2 > snmp-server location Home > snmp-server contact Eric Nguyen > snmp-server community home > snmp-server enable traps > tftp-server inside 172.16.1.2 / > floodguard enable > no sysopt route dnat > telnet 0.0.0.0 0.0.0.0 inside > telnet timeout 60 > ssh 0.0.0.0 0.0.0.0 outside > ssh 0.0.0.0 0.0.0.0 inside > ssh timeout 60 > terminal width 80 > Cryptochecksum:9ccb719c169af814515292a4bf0a9023 > : end > [OK] > > HERNDON-PIX# > > > > --------------------------------- > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59662&t=59662 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]