GRE, hide nat on PIX

Discussion in 'Cisco' started by Jean-Michel Dewaal, Aug 14, 2005.

  1. Hi, Good Day,

    Behind a PIX 501, I have a LAN hide nated to the external Interface of
    the PIX. This works ok for tcp/ip traffic like http, ftp etc.

    Behind, I have a host 10.10.10.10 that needs to get to an external
    Internet located provided using PPTP.

    It does not work. Sniffing, I see tcp ports being used. The client gets
    to the point he has the login/password windows box to fill. Once done,
    sniffing, I see ip-proto-47 (aka, GRE).

    What to add to the PIX for the client being hide-nated to use a PPTP
    server (not managed by us at all)???

    I do not have anyhting like spare IP to static nat the client to an
    internet IP.

    PIX version : 6.3.4

    Thanks,

    Jean-Michel
    Jean-Michel Dewaal, Aug 14, 2005
    #1
    1. Advertising

  2. In article <ddnhfr$6l3$>,
    Jean-Michel Dewaal <> wrote:
    :Behind a PIX 501, I have a LAN hide nated to the external Interface of
    :the PIX. This works ok for tcp/ip traffic like http, ftp etc.

    :Behind, I have a host 10.10.10.10 that needs to get to an external
    :Internet located provided using PPTP.

    :What to add to the PIX for the client being hide-nated to use a PPTP
    :server (not managed by us at all)???

    fixup protocol pptp 1723

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379

    The PPTP fixup must be enabled for PPTP traffic to be translated
    by PAT. Additionally, PAT is only performed for a modified
    version of GRE (RFC2637) and only if it is negotiated over the
    PPTP TCP control channel. PAT is not performed for the unmodified
    version of GRE (RFC 1701 and RFC 1702).
    --
    Any sufficiently advanced bug is indistinguishable from a feature.
    -- Rich Kulawiec
    Walter Roberson, Aug 15, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paolo Bresi
    Replies:
    1
    Views:
    594
    Walter Roberson
    Apr 4, 2005
  2. Alabama Circus
    Replies:
    1
    Views:
    15,200
    gene martinez
    Jun 4, 2005
  3. Amaury Ronflard

    PIX 6.3.4 - Hide NAT before VPN

    Amaury Ronflard, Aug 14, 2005, in forum: Cisco
    Replies:
    2
    Views:
    2,337
    Amaury Ronflard
    Aug 14, 2005
  4. Stephane Leonard

    Hide-Nat will never clash...

    Stephane Leonard, Sep 21, 2005, in forum: Cisco
    Replies:
    1
    Views:
    865
    Walter Roberson
    Sep 21, 2005
  5. Replies:
    2
    Views:
    7,748
    Brian V
    Aug 9, 2006
Loading...

Share This Page