Allowing Microsoft VPN through Cisco PIX

Symptom: When attempting to connect to a VPN server on the outside of the PIX it returns error 721 or 800, the computer failed to respond.


Resolution: 1) In order to PPTP through a PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723. For example, for pptp add this: conduit permit gre host x.x.x.x any AND conduit permit tcp host x.x.x.x eq 1723. For l2tp over ipsec: conduit permit esp host x.x.x.x any, conduit permit udp host x.x.x.x eq 1701 any AND conduit permit udp host x.x.x.x eq 500 any.

2) If the PIX is V6.3(3) or above, you can enable PPTP fixup, fixup protocol pptp 1723.