«

Hi, Good Day,

Behind a PIX 501, I have a LAN hide nated to the external Interface of
the PIX. This works ok for tcp/ip traffic like http, ftp etc.

Behind, I have a host 10.10.10.10 that needs to get to an external
Internet located provided using PPTP.

It does not work. Sniffing, I see tcp ports being used. The client gets
to the point he has the login/password windows box to fill. Once done,
sniffing, I see ip-proto-47 (aka, GRE).

What to add to the PIX for the client being hide-nated to use a PPTP
server (not managed by us at all)???

I do not have anyhting like spare IP to static nat the client to an
internet IP.

PIX version : 6.3.4

Thanks,

Jean-Michel

In article <ddnhfr$6l3$>,
Jean-Michel Dewaal <> wrote:
:Behind a PIX 501, I have a LAN hide nated to the external Interface of
:the PIX. This works ok for tcp/ip traffic like http, ftp etc.

:Behind, I have a host 10.10.10.10 that needs to get to an external
:Internet located provided using PPTP.

:What to add to the PIX for the client being hide-nated to use a PPTP
:server (not managed by us at all)???

fixup protocol pptp 1723

http://www.cisco.com/univercd/cc/td/....htm#wp1067379

The PPTP fixup must be enabled for PPTP traffic to be translated
by PAT. Additionally, PAT is only performed for a modified
version of GRE (RFC2637) and only if it is negotiated over the
PPTP TCP control channel. PAT is not performed for the unmodified
version of GRE (RFC 1701 and RFC 1702).
--
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec