1. Home
  2. Cisco Systems
  3. Cisco PIX 501 private addressing

Cisco PIX 501 private addressing

Hi,

Is it possible to configure PPTP VPN to work in the below configuration?

Currently PIX 501 sits behind an ADSL router. External interface is not getting public IP, but DHCP assignment by ADSL router(192.168.1.0/24). The internal interface has DHCP Server configured to lease IP of

172.16.1.0/16 to the internal network. Do I need to configure any port forwarding in ADSL router? If so, which port should I forward?

I thought of using PPPoE in PIX 501, disable the NAT & change to bridge mode for ADSL router. Do you think this will work? By default is the VPN traffic filtered through access list? How to configure port forwarding in PIX 501?

Thanks

Reply to
ping
Loading thread data ...

PPTP needs UDP 1723 and GRE (IP protocol 47 -- not a TCP or UDP port!)

Yes, that is a common setup.

Yes, but turning off that filtering is done so often in so many examples that most people mistake the step as just being yet another magical part of creating a VPN.

In particular, if you have sysopt connection permit-pptp then your PPTP traffic will NOT be filtered by the ACLs. The default from the factory is for that not enabled: when it is not enabled, then VPN traffic is filtered by the inside ACL for outgoing traffic and by the outside ACL for incoming traffic. Therefore, with a single step you can turn off all the PPTP access controls -- or you can take advantage of access controls to be very picky about where the pptp users can access.

You don't need it for the configuration you've outlined.

When you are using pptp you very likely associate the vpdn group with an ip address pool of private (RFC1918) IPs, and you very likely configure an access list annd use nat (inside) 0 access-list ACLNAME As well as turning off address translation for the tunneled traffic, it has the side effect of turning off the need to use 'static' or "policy nat" in order to configure port forwarding for VPN users.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.