In the following example I am configuring port forwarding to a Windows Server 2003 PPTP VPN server. My lab has been configured as shown in the diagram. I have a /28 network registered on the Internet and 14 public IP Addresses are available though the ISP uplink. The SDSL modem is providing these IP addresses by the internal DHCP server. For the Cisco PIX 501 firewall I am using manual assigned Public IP Address.
How to configure PPTP VPN server publishing on a Cisco PIX 501 firewall?
In the CLI command below I am configuring static NAT to a public IP Address for tcp port 1723 (pptp). I am also allowing the tcp and gre traffic to the VPN server by using access-list.
fixup protocol pptp 1723 name 192.168.5.35 VPN-02 pdm location VPN-02 255.255.255.255 inside static (inside,outside) tcp 22.214.171.124 pptp VPN-02 pptp netmask 255.255.255.255 0 0 access-list outside_access_in permit tcp any host 126.96.36.199 access-list outside_access_in permit gre any host 188.8.131.52
What did I achieve with this configuration?
After I applied this configuration I was able to connect from my Windows XP & Windows Vista computers by utilizing the built-in VPN client via the PPTP protocol. I configured static port forwarding on tcp 1723 port and enabled the GRE IP protocol fix by using the “fixup protocol pptp 1723” command. Without the fixup for pptp protocol I am forced to translate complete internal host (VPN-02) and using all TCP ports. If you don’t apply to fixup than you probably will get eventlog message like one below.
Event Type: Warning Event Source: Rasman Event Category: None Event ID: 20209 Date: 3/18/2008 Time: 9:22:43 PM User: N/A Computer: VPN-02 Description: A connection between the VPN server and the VPN client 184.108.40.206 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.