PIX 501 with IOS 6.2(4) PPTP Access

Discussion in 'Cisco' started by darkmoo, Jul 19, 2006.

  1. darkmoo

    darkmoo Guest

    To implement a PPTP server on the same interface as PPPoE & also to have
    the 2nd option to pass thru PPTP to a internal PPTP server what version
    of IOS would I need. Currently the above features that I would like isn't
    possible in 6.2(4).

    I guess I would have to pay for the latest training version of IOS if
    there isn't a free upgrade since its outside the minor revision number

    Anyone have an idea of the cost & if I need to renew a support agreement
    on the device to be able to purchase a newer IOS?
    darkmoo, Jul 19, 2006
    1. Advertisements

  2. By the way, the PIX operating system is named Finesse, not IOS.

    It is not clear from your message whether the PPPoE is outgoing
    or incoming. PIX 6 only handles PPPoE outgoing, and PPTP incoming.

    I thought I remembered reading that you could not configure PPPoE
    on the same interface as PPTP, but I do not find that restriction
    documented, so I might be misremembering.
    You -can- purchase a PIX software update without a support agreement,
    but the price is high enough that it is usually not much more
    expensive to just go for a support agreement.

    Your reference to PPoE suggests that you are getting assigned a single
    IP address by a PPPoE server. You are also trying to pass through
    GRE and the PPTP TCP port to an inside PPTP server. GRE cannot be
    PAT'd (port address translation), and there is no way to just
    specify gre in a static statement the way you can TCP and UDP.

    I would say then that what you need is "policy static" -- a
    static statement that references an access list with the access list
    matching GRE. It would look something like this:

    access-list GRE_static_ACL gre host PPTPSERVERINSIDEIP any
    static (inside,outside) interface access-list GRE_static_ACL

    You can do this with PIX 6.3 and onward.

    If you examine the latest PIX security advisories carefully, I
    seem to recall that there is one outstanding security issue that was
    not fixed in 6.2 and so could potentially be leveraged into a
    6.2(5) rebuild upgrade. I did not, however, read the 6.2 conditions
    particularily carefully and I could be misremembering.
    Walter Roberson, Jul 19, 2006
    1. Advertisements

  3. www.BradReese.Com, Jul 19, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.