Microsoft KB Archive/249576

From BetaArchive Wiki
Knowledge Base

Windows Virtual Private Network Connectivity to Cisco PIX Firewall

Article ID: 249576

Article Last Modified on 3/1/2007


  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server

This article was previously published under Q249576


Cisco PIX Firewall supports the same IPSec tunnel mode client supported by Internetwork Operating System (IOS), which is licensed from Information Resource Engineering (IRE). Layer 2 Tunneling Protocol (L2TP) is not currently supported by Cisco PIX Firewall, but Point-to-Point Tunneling Protocol (PPTP) is supported in PIX version 5.1 and later.

Cisco Secure PIX Firewall Software Release 6.0 adds support for Layer 2 Tunneling Protocol (L2TP) over Internet Protocol Security (IPSec). Users that run Windows 2000 can use the native IPSec client and L2TP client to establish an L2TP tunnel to the PIX firewall. The traffic flows through the L2TP Tunnel encrypted by IPSec security associations (SAs). Certificate support in PIX 6.0 includes Baltimore, Microsoft, VeriSign, and Entrust servers. Currently, PIX does not accept L2TP requests without IPSec protection.


There is currently no Microsoft provided virtual private network (VPN) client that works with Cisco PIX Firewall. Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows NT 4.0 and Windows 2000 PPTP should work if your Cisco PIX PPTP implementation supports user ID/password user authentication. Cisco's PIX PPTP is not expected to include Extensible Authentication Protocol, so certificate-based user authentication by using a smart card is not supported. Because L2TP is not currently supported by Cisco PIX, L2TP/IPSec in Windows 2000 does not work as a remote access client to the PIX.

The following excerpt is from Cisco's Web site:

Cisco VPN Client
Cisco will license technology from third-party supplier, Information Resource Engineering (NASDAQ/NM: IREG), to deliver a VPN client to customers.

For updated information, please check the following Cisco Web site:

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Additional query words: smartcard

Keywords: kb3rdparty kbinfo kbnetwork KB249576