Mike Conigliaro

PPTP on the Cisco PIX

If you have a PPTP server, and you just want to allow PPTP traffic to pass through the PIX, all you need is one line:

fixup protocol pptp 1723

But did did you know the PIX has its own built-in PPTP server? Here’s how you configure it:

First you need to permit incoming PPTP traffic:

sysopt connection permit-pptp

Create a new IP pool. PPTP clients will be assigned IP addresses from this pool:

ip local pool <pool name> 192.168.180.100-192.168.180.125

Now you need to create your PPTP users.

vpdn username <username> password <password>

Create a PPTP group. The group is what holds all the PPTP settings that clients need in order to connect:

vpdn group <group name> accept dialin pptp
vpdn group <group name> client configuration address local <pool name>
vpdn group <group name> ppp authentication mschap
vpdn group <group name> ppp encryption mppe 128 required
vpdn group <group name> pptp echo 60
vpdn group <group name> client authentication local
vpdn group <group name> client configuration dns <dns server address>
vpdn enable outside

Finally, ensure that PPTP clients are not NAT’ed:

access-list inside_outbound_nat0_acl permit ip LAN 255.255.255.0 LAN 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
blog comments powered by Disqus