Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Assistance with PIX 501 (6.3) and VPN thru PAT

Reply
Thread Tools

Assistance with PIX 501 (6.3) and VPN thru PAT

 
 
B Creed
Guest
Posts: n/a
 
      07-15-2003
I would greatly appreciate it if any one could offer up any config
examples or suggestions for configuring a PIX 501 running OS 6.3 to
allow a MS VPN client to connect through it with pptp to the server on
the other side. ie:
(Public IPs have been changed)

Win2k Client--------inet---->PIX------------->Win2k Server
Dynamic IP o: 3.3.3.5 192.168.1.10
i: 192.168.1.1

Authentication is currently set to local, though I was messing around
with MS ISA and Radius earlier. Thanks a million in advance!

B. Creed
================================================== ===================
Here's the majority of the current config running on the PIX:
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.10 ccc-server
access-list outside_access_in permit tcp any host 3.3.3.5 eq pptp
access-list outside_access_in permit gre any host 3.3.3.5
access-list outside_access_in permit tcp host 3.3.3.5 eq pptp host
3.3.3.5
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp host 3.3.3.5 eq https host
3.3.3.5 eq https
access-list outside_access_in permit tcp host 3.3.3.5 eq ldap host
3.3.3.5 eq ldap
access-list outside_access_in permit tcp any host 3.3.3.5 eq telnet
access-list outside_access_in permit tcp any host 3.3.3.5 eq
pcanywhere-data
access-list outside_access_in permit tcp any host 3.3.3.5 eq 5632
access-list outside_access_in permit tcp any host 3.3.3.5 eq www
access-list outside_access_in permit tcp any host 3.3.3.5 eq ftp
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 3.3.3.5 255.255.255.128
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.0.1-192.168.0.254
pdm location 192.168.1.96 255.255.255.224 outside
pdm location 3.3.3.0 255.255.255.0 outside
pdm location ccc-server 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data ccc-server
pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 ccc-server 5632 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pptp ccc-server pptp netmask
255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 3.3.3.4 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username sostech password papag0
vpdn username carol password boomer
vpdn enable outside
dhcpd auto_config outside
 
Reply With Quote
 
 
 
 
B Creed
Guest
Posts: n/a
 
      07-18-2003
Is not one of the features of 6.3 the PPTP procotol fixup? I was under
the impression that that was to fix the problem with PAT and GRE
because it would automatically handle all the xlates. Strangely
enough, the router config listed actually does work (I find it
confusing myself) and was copied off a PIX 506 with working pptp VPN
support (albeit thru NAT). I think I may just give up and get a 2nd
static IP for the client though... heh

B Creed
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-18-2003
In article <(E-Mail Removed) >,
B Creed <(E-Mail Removed)> wrote:
:Is not one of the features of 6.3 the PPTP procotol fixup? I was under
:the impression that that was to fix the problem with PAT and GRE
:because it would automatically handle all the xlates.

Yes, you are correct. I had missed that, not having had reason to pay
attention to the details of PPTP.

However according to the PIX 6.3 Command Reference,

Specifically, the firewall inspects the PPTP version announcements
and the outgoing call request/response sequence. Only PPTP Version
1, as defined in RFC 2637, is inspected. Further inspection on the
TCP control channel is disabled if the version announced by either
side is not Version 1. In addition, the outgoing-call request and
reply sequence are tracked. Connections and/or xlates are dynamic
allocated as necessary to permit subsequent secondary GRE data
traffic.

Thus, the access-list entry permiting GRE that you had against the
outside interface will have any function. Adaptive Security would
create whatever pinholes are needed, and would automatically create them
to the proper IP addresses.


:Strangely
:enough, the router config listed actually does work (I find it
:confusing myself) and was copied off a PIX 506 with working pptp VPN
:support (albeit thru NAT).

There is a noticable difference between what can be done with NAT
and what can be done with PAT.
--
Usenet is one of those "Good News/Bad News" comedy routines.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RDP thru Cisco VPN client and thru 501 Failure curttampa@gmail.com Cisco 21 08-26-2008 03:11 PM
Static PAT overrides Dynamic Pat - Pix 515e BinSur Cisco 4 01-13-2006 09:44 AM
PIX 501 and PAT going to wrong host Concerned Citizen Cisco 0 08-26-2005 02:17 PM
PAT and Static NAT on a PIX 501 badtemper@gmail.com Cisco 4 02-08-2005 10:23 PM
PIX 501 and inbound NAT/PAT Alex Cisco 2 08-10-2004 10:41 PM



Advertisments