How to Pass a Microsoft PPTP VPN to a Microsoft Server, through a CISCO Router or PIX.
Bob Lin's ChicagoTech website is fantastic; the best networking site we've seen. Bob's site is to the point and easy to search. Here is his VPN Page: Some other related pages:
Microsoft's PPTP Page
MSDN's PPTP Page
The SANS page
Cisco's Help Page
The trick is to pass all of the through the firewall, without opening anything else: You have to pass TCP 1723, GRE, and UDP 500. Unfortunately, the correct CISCO CLI commands aren't easily available.
This is ONE way to do pass Microsoft's VPN to a Microsoft Server, through a Cisco Router. There are many other options... The Microsoft PPTP implementation can be passed through the firewalls with access lists and an IP NAT command.
access-list 101 permit tcp any host Router.Public.IP.ADD.RESS eq 1723
access-list 101 permit gre any host Router.Public.IP.ADD.RESS any
access-list 101 permit udp any host Router.Public.IP.ADD.RESS eq 500
ip nat inside source static udp MY.SER.VER.IP 500 interface FastEthernet4 500
With fake addresses, the lines look like this.
access-list 101 permit tcp any host 22.214.171.124 eq 1723
access-list 101 permit gre any host 126.96.36.199 any
access-list 101 permit udp any host 188.8.131.52 eq 500
ip nat inside source static udp 192.168.1.254 500 interface FastEthernet4 500
Note 0: A Cisco PIX may require a fixup command, depending on your revision
fixup protocol pptp 1723
Note 1: Cisco's L2TP VPN is more secure than Microsoft's PPTP VPN because the Cisco VPN can be used with two levels of authentication. However, Microsoft's VPN is adequate when managed with an adequate security policy. Microsoft's VPN is also easy to deploy because it is included in Windows XP, Vista, and Server 2003. You control access via the MS Server. No additional software is required.
Note 2: You have to choose between Cisco Transport over UDP NAT/PAT translation VPN and Microsoft's PPTP VPN because both technologies use UDP 500. It is not practical to have the UDP packets go to the Windows Server for the MS VPN, and go to the Cisco router for the Cisco VPN on the same router
Choose the technology that meets your requirements and secure it via best practices
If you need both clients at the same router/server, the only practical option is to use CISCO's IPSEC over TCP
Note 3: There are known issues with multiple VPN clients on the same Windows machines.