Use Microsoft VPN Client OUTBOUND through PIX 501

Discussion in 'Cisco' started by James B. Wood, May 12, 2006.

  1. Group,

    I'm trying to solve a problem for a friend.

    She has a PIX 501 and needs to connect to a Windows VPN out on the 'net (so
    we're using the Microsft VPN Client). We can start the process - the VPN
    requests authenication - but it times out after entering the username /
    password. I can access the VPN in question from another site or if I
    disable the PIX. What do I need to do to allow the connection to proceed?
    Examples would be useful.

    Many Thanks,

    James B. Wood, May 12, 2006
    1. Advertisements

  2. James B. Wood

    Brian V Guest

    fixup protocol pptp 1723
    Brian V, May 13, 2006
    1. Advertisements

  3. James B. Wood

    Gary Guest

    If he's having problems with PPTP, then he'll probably want to turn off
    the fixup for that protocol. James: is your friend using PPTP or L2TP for
    his Microsoft VPN client?

    Gary, May 15, 2006
  4. PPTP.

    Currently there is no fixup for PPTP.

    James B. Wood, May 15, 2006
  5. James B. Wood

    Gary Guest

    What rev of PIX OS are you using? Also, are you running the PPTP server on
    the PIX 501? I'm wondering if it's intercepting the return traffic
    for some reason... You might want to turn on debugging to get some
    more detail of what's happening. I don't know if 'debug vpdn packets' will
    give you passthrough VPN debugging or not. You could install ethereal and
    see how it looks when you connect successfully w/o the PIX in the way then
    compare it to the failure...

    Gary, May 16, 2006
  6. James B. Wood


    May 30, 2006
    Likes Received:
    L2TP outbound

    Hi there,
    I’was looking for a solution about PPTP and I found your topic,
    Thanks for this, it was helpful.
    I’m now trying a solution to allow outbound traffic for L2TP, but no success.. any idea?
    Thanks in advance,
    (PIX-501-BUN-K9 IOS 6.3)

    P.S. James B. Wood : did you try to enter the fixup commande through CLI ?
    plastikman, May 30, 2006
  7. James B. Wood


    Jun 8, 2006
    Likes Received:
    Try this

    static (inside,outside) <your public IP> <internal IP of computer tyring to connect> netmask 0 0
    access-list acl-out permit gre host <IP address of VPN server> host <your public IP>
    access-group acl-out in interface outside

    This will work but it knocks out all the other computers on the network for me. So I basically solved one problem and hit another.

    I got this information from cisco's website:
    PlainusDonuticus, Jun 8, 2006
  8. James B. Wood


    Jun 6, 2006
    Likes Received:
    In previous releases of pix , it was mandatory to use static nat for the clients to connect to pptp server.

    However in 6.3 it has been resolved by using fixup protocol pptp port_no. So if you are using 6.3 or above , you can access pptp whether the client is PATted or Static natted or Dynamic natted.
    keshav, Jun 25, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.