Pages

10/14/2003

Firewall::Cisco::Outbound PPTP


Can't do PPTP vpn for a client inside cisco firewall to a server outside. Using Pix 6.1x
Must allow GRE ("Generic Routing Encapsulation") protocol from the server in to the client.
This requires: - client must have static IP address.
- Outbound on TCP1723 must be allowed to the server
- Inbound GRE must be allowed from the server to the client's outside static address.
The details of this and other situations is found in Cisco document: "Permitting PPTP Connections Through the PIX"
PDF version -http://www.cisco.com/warp/public/110/pix_pptp.pdf
HTML version

Commands:

static (inside,outside) netmask 255.255.255.255 0 0
access-list acl-outside permit gre host host

Assumes acl-outside is already applied to your outside interface via the command:
access-group acl-outside in interface outside

No comments: