Permit PPTP VPN GRE Traffic via a Cisco PIX Firewall
Earlier this week, I tried to connect to a PPTP VPN connection. My Windows 8.1 PC gave me the following error:
Error 806: a connection between your computer and the VPN server has been established but the VPN connection cannot be completed. The most common cause for this is that there is at least one internet device between your computer and the VPN server is not configured to allow GRE protocol packets Verify that protocol 47 GRE is allowed on all personal firewall devices or routers. if the problem persists, contact your administrator.
At home, I use a Cisco PIX 515E firewall as my edge firewall device. My configuration isn’t particularly locked down in the sense that I don’t deny much traffic outbound (it causes too many internal support tickets with the wife and kids).
The error momentarily filled me with dread as I knew it was going to be an issue at my end as other people could connect to the service without any issues. The main reason though is that I know that from previous experience with VPNs, firewall and network devices getting in the stream and blocking traffic can be fraught with problems trying to resolve it.
A few Bing searches later and I was none the wiser. All of the details online seem to focus around people trying to host their own PPTP VPN servers and having issues with inbound connections, however with thru absence of other assistance, I figured I would try once of the recommendations I found which works to allow inbound PPTP connections and low-and-behold, a fix.
fixup protocol pptp 1723
Simply enter this command via the command line interface of the PIX or using Cisco ADSM and the command line entry dialog. The PIX will return with a slightly bizarre looking response and now you’re all set to place outgoing PPTP VPN connections.
The reason and rationale? The PIX does not by default inspect the IP Protocol 47 traffic (GRE) which is used by a PPTP VPN connection and therefore is dropped. Entering this command adds GRE to the inspection ruleset on the PIX so that the traffic can be seen and permitted to pass, assuming you don’t have an ACL which will then block it (the system level inspections happen before ACLs are taken into account).