PPTP (Point-to-Point Tunneling Protocol) through PIX Firewall

Contributor Icon Contributed by abanks Date Icon February 9, 2004  
Tag Icon Tagged: Cisco firewall

How to pass PPTP traffic through a PIX Firewall

This recipe is outdated.


This recipe is outdated. See this one: http://www.tech-recipes.com/rx/2222/pptp_on_cisco_asa_or_pix_6_3_or_later_code.

Cisco PIX Firewalls require two elements to pass traffic from outside (higher security) to inside (lower security): a static translation and a conduit.

For this example, assume a server has IP address 192.168.1.100 and there is an available outside address of 1.1.1.1.

First, create the static translation. This configuration line establishes a relationship between 1.1.1.1 (public Internet IP address) and 192.168.1.100 (inside, private IP address).

static (inside,outside) 1.1.1.1 192.168.1.100 netmask 255.255.255.255 0 0

Next, create appropriate conduits to allow specific traffic to pass from the outside to the Inside interface. PPTP uses TCP/1723, TCP/139, UDP/Netbios-NS, UDP/Netbios-DGM, and IP/47 GRE.

This is not needed. This recipie is outdated, and based on an old document.

conduit permit tcp 1.1.1.1 eq 1723 any
conduit permit tcp host 1.1.1.1 eq 139 any
conduit permit udp host 1.1.1.1 eq 137 any
conduit permit udp host 1.1.1.1 eq 138 any
conduit permit gre host 1.1.1.1 any

or
access-list 101 permit tcp any host 1.1.1.1 1723
access-list 101 permit tcp any host 1.1.1.1 139
access-list 101 permit udp any host 1.1.1.1 137
access-list 101 permit udp any host 1.1.1.1 138
access-list 101 permit gre any host 1.1.1.1
access-group 101 in interface outside

A couple of notes:

    In the conduits and access-lists, the any keyword allows matching traffic from any IP address to pass through the firewall. This should be replaced with the source IP address of the PPTP tunnel, if at all possible.

    In the access-lists, verify any existing access-lists or other traffic needed before entering the last line!

Some of this information came from the Cisco PPTP FAQ.

Previous recipe | Next recipe |
 
  • Fluffy
    ok I'm a newbie when it comes to setting up this pix. When I add that static statement and the other access-list commands I can get into the network via vpn just fine, but all the computers on the inside network lose internet access. I took out the access-list and still had the same problem so I'm pretty sure it's caused by that static entry. Can anyone tell me what I'm doing wrong?
  • Anonymous
    I've got a same problem... If I delete the static rule, all other computers have an Internet access otherwise not :? :cry:
  • Anonymous
    Try adding "fixup protocol pptp 1723" instead of all of the changes above.
  • ko
    you need to check your recipe! you should never open port 137,138,139 to any machine from the internet.

    PPTP uses TCP 1723 and GRE (protocol 47)

    ports 137-139 are opening HUGE HOLES in your network security. Especially if it is to a Microsoft server, esentialy you have told people to open their windows shares to the World. NEVER OPEN these ports.

    I don't coment on much but this is bad networking practices at their worst.
  • Anonymous
    <ul id="quote"><h6>Anonymous wrote:</h6>Try adding "fixup protocol pptp 1723" instead of all of the changes above.</ul>

    This is right on, works like a champ. This only works in PIX version 6.3.3 and up.

    The fixup now takes care of translating the GRE tunnel to a natted internal ip.
  • Anonymous
    There is a nice solution for Connecting a Cisco PIX to Windows Vista.
    Configure L2TP without certificates to seamlessly migrate from PPTP to L2TP.
    http://support.dmu.edu/VistaandCiscoPIXpptp/ind...
blog comments powered by Disqus