PIX 501 and PPTP to W2K3 Server problem

I've been beating my head on this for a couple of days now and cannot get PPTP to pass through my PIX 501 so we can get our wireless vpn connections up.

When I initiate the Microsoft VPN (Windows XP Laptop) connection from the client on the outside (Ethernet0 on the pix) to the W2K3 Server running RRAS, I receive an 800 error. However, when I issue a "sh conn", I can see the connection being created, but it has the flags SaAB. After 2 minutes the connection will time out and will be torn down. Not sure what's going on here, but I am able to ping the server from the pix and vice versa.

Now, if I plug the laptop into one of the four ports on the 501, I can bring up the PPTP session without a problem. So, I know the server is working correctly. The only gotcha I can think of is that the server sits on a separate VLAN than that of the pix, but this should not be a problem because I can connect without a problem from the internal switch in the 501.

Network layout is Laptop => WAP => PIX 501 Outside => PIX 501 Inside => Core Switch => Win2K3 RRAS Server

The wireless network is 192.168.192.x and the internal network that the pix is on is 172.16.1.x, but the Win2K3 server is on a separate VLAN addressed as 172.16.253.x

Here is the config:

PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxx encrypted passwd xxxxxxxxxxx encrypted hostname pix domain-name somedomainimadeup.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside-in permit tcp any host eq pptp access-list outside-in permit gre any host pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside ip address inside ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 static (inside,outside) netmask 0

0 access-group outside-in in interface outside route outside 1 route inside 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh inside ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:177c7d78ec5c695480097944369c3f77 : end

Thanks !!

Reply to
Loading thread data ...

All kindsa things messed up.....

1, your acl permits it to 2, Pix has got no idea where is, you got no route for it 3, your static for the server is nat'ing to itself, needs to be nating to the IP you are trying to connect to, by your acl it should be 4, You may need "sysopt connection permit-pptp" in your config. Been a while since I've done anything with PPTP, don't remember if thats for doing it on the Pix or Server or both...
Reply to
Brian V

Sorry about that, the ACL was a typo when I put the config up. It actually reads:

access-list outside-in permit tcp any host eq pptp access-list outside-in permit gre any host

Reply to

Try the sysopt connection permit-pptp. Another thing you may want to try is lowering the MTU on the wireless machines, could be an MTU issue.

Reply to
Brian V

No luck thus far

Here is some more info

sh conn output:

TCP out in idle 0:00:15 Bytes 0 flags SaAB

sh log output:

302013: Built inbound TCP connection 11 for outside: ( to inside: (
Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.