I've been beating my head on this for a couple of days now and cannot get PPTP to pass through my PIX 501 so we can get our wireless vpn connections up.
When I initiate the Microsoft VPN (Windows XP Laptop) connection from the client on the outside (Ethernet0 on the pix) to the W2K3 Server running RRAS, I receive an 800 error. However, when I issue a "sh conn", I can see the connection being created, but it has the flags SaAB. After 2 minutes the connection will time out and will be torn down. Not sure what's going on here, but I am able to ping the server from the pix and vice versa.
Now, if I plug the laptop into one of the four ports on the 501, I can bring up the PPTP session without a problem. So, I know the server is working correctly. The only gotcha I can think of is that the server sits on a separate VLAN than that of the pix, but this should not be a problem because I can connect without a problem from the internal switch in the 501.
Network layout is Laptop => WAP => PIX 501 Outside => PIX 501 Inside => Core Switch => Win2K3 RRAS Server
The wireless network is 192.168.192.x and the internal network that the pix is on is 172.16.1.x, but the Win2K3 server is on a separate VLAN addressed as 172.16.253.x
Here is the config:
PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxx encrypted passwd xxxxxxxxxxx encrypted hostname pix domain-name somedomainimadeup.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside-in permit tcp any host 18.104.22.168 eq pptp access-list outside-in permit gre any host 22.214.171.124 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 192.168.192.192 255.255.255.0 ip address inside 172.16.1.148 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 static (inside,outside) 172.16.253.5 172.16.253.5 netmask 255.255.255.255 00 access-group outside-in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.192.191 1 route inside 172.16.0.0 255.255.0.0 172.16.1.7 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:177c7d78ec5c695480097944369c3f77 : end