Cannot establish PPTP VPN connection thru PAT on Cisco router

[shewitt () cdw com]

I appologize as this is slightly off topic, but I don't know where else to
go for help. 
 
I'm having a problem trying to establish an outbound VPN connection using MS
PPTP.  Here is my current setup

CLIENT          CISCO         CISCO
MACHINE  -----   PIX   ------ 7204      ------  INTERNET
10.x.x.x        w/o NAT       w/ PAT

For my internet connectivity, I use PAT on the boarder router.  So, the
packets are arriving on the ethernet port of the router with a source IP
address of 10.x.x.x.  The router handles the conversion to a real IP using
PAT and sends the traffic out thru its HSSI interface.  

My attempted PPTP VPN sessions eventually timeout while trying to complete
the handshake / authenticate the user.  I've done a trace on both sides of
the PIX, and I get the same results on both sides.  
I establish the TCP connection, I send some PPTP packets back and forth.
Then I send a GRE packet.  The next packet after the outbound packet, is an
ICMP Host Unreachable with a source IP address of my router.  This makes it
seem to me like the router isn't even trying to PAT the GRE packets and is
just giving up.

According to Cisco, older versions of the IOS don't support PPTP thru NAT
(Bug Id : CSCdk60714 ).  This bug indicates that this is fixed in
12.1(1.00.03)PI 12.1(1.3)T .  I was on an older version, so I upgraded, but
I still can't get it to work.  My thought is that maybe it doesn't work thru
PAT, it only works thru NAT.  

Any suggestions?  Anybody have PPTP working thru PAT on a Cisco router?


-------------------------------
Scott Hewitt

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards