How to pass PPTP traffic through a PIX Firewall

Cisco PIX Firewalls require two elements to pass traffic from outside (higher security) to inside (lower security): a static translation and a conduit.

For this example, assume a server has IP address 192.168.1.100 and there is an available outside address of 1.1.1.1.

First, create the static translation. This configuration line establishes a relationship between 1.1.1.1 (public Internet IP address) and 192.168.1.100 (inside, private IP address).

fixup protocol pptp 1723
static (inside,outside) 1.1.1.1 192.168.1.100 netmask 255.255.255.255 0 0

Next, create appropriate conduits to allow specific traffic to pass from the outside to the Inside interface. PPTP uses TCP/1723, and IP/47 GRE.

conduit permit tcp 1.1.1.1 eq 1723 any
conduit permit gre host 1.1.1.1 anyor
access-list 101 permit tcp any host 1.1.1.1 1723
access-list 101 permit gre any host 1.1.1.1
access-group 101 in interface outside

A couple of notes:

In the conduits and access-lists, the any keyword allows matching traffic from any IP address to pass through the firewall. This should be replaced with the source IP address of the PPTP tunnel, if at all possible.

In the access-lists, verify any existing access-lists or other traffic needed before entering the last line!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s