Pix506e behind Cisco1841 VPN problem

09-27-2006, 08:10 AM

Dear,
I have a Pix506e behind the cisco1841, the public ip is configure on the f0/0 of the cisco1841, i have a VPN (PPTP) that is configure on my PIX. How can allow outside people to connect by VPN inside my private Lan that is behind the PIX.
Please help!

Here my config
PIX506E
PIX 503e

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Bs.EboZEq5PmUtlZ encrypted
passwd Bs.EboZEq5PmUtlZ encrypted
hostname telcel
domain-name telecel.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list access-in permit tcp any interface outside eq 14000
access-list access-in permit udp any interface outside eq 14000
access-list access-in permit tcp any interface outside eq 32
access-list access-in permit icmp any any
access-list access-in permit tcp any host 217.194.xx.xx eq smtp
access-list access-in permit tcp any host 217.194.xx.xx eq 3389
access-list access-in permit tcp host 210.210.1.65 host 217.194.xx.xx eq ftp
access-list access-in permit tcp host 210.210.1.63 host 217.194.xx.xx eq ftp
access-list NO-NAT permit ip any 172.16.1.0 255.255.255.0
access-list worms deny udp any any eq tftp
access-list worms deny tcp any any eq 135
access-list worms deny udp any any eq 135
access-list worms deny udp any any eq netbios-ns
access-list worms deny udp any any eq netbios-dgm
access-list worms deny tcp any any eq netbios-ssn
access-list worms deny udp any any eq 139
access-list worms deny tcp any any eq 445
access-list worms deny tcp any any eq 593
access-list worms deny tcp any any eq 4444
access-list worms permit ip any any
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.1 255.255.255.128
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool SMSC 172.16.1.1-172.16.1.16
pdm location 192.168.0.4 255.255.255.255 inside
pdm location 192.168.0.48 255.255.255.255 inside
pdm location 192.168.0.77 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 217.194.xx.xx www 192.168.0.4 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 217.194.xx.xx smtp 192.168.0.4 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 217.194.xx.xx 3389 192.168.0.4 3389 netmask 255.255.255.255 0 0
access-group access-in in interface outside
access-group worms in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.48
snmp-server host inside 192.168.0.77
no snmp-server location
no snmp-server contact
snmp-server community snmpt3l3c
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group smsc accept dialin pptp
vpdn group smsc ppp authentication pap
vpdn group smsc ppp authentication chap
vpdn group smsc client configuration address local SMSC
vpdn group smsc pptp echo 60
vpdn group smsc client authentication local
vpdn username smsc password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
username aaaa password vvvv encrypted privilege 15
terminal width 80
Cryptochecksum:7d2e1c2c9d3cbcb50548ba68c0979267
: end

Cisco 1841

!This is the running config of the router: 217.194.xx.xx (public IP)
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Telecel
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
ip domain name yourdomain.com
ip name-server 217.194.158.30
ip name-server 217.194.129.30
username zzzz privilege 15 secret 5
!
!
!
interface FastEthernet0/0
description LAN$ETH-LAN$
ip address 217.194.xx.xx 255.255.255.248
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description Inside to PIX$ETH-LAN$
ip address 192.168.2.2 255.255.255.128
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/0/0
description Network 1
!
interface FastEthernet0/0/1
description Network 2
!
interface FastEthernet0/0/2
description Network 3
!
interface FastEthernet0/0/3
description Network 4
!
interface Serial0/1/0
description Connection to SkyVision
ip address 217.194.yy.yy 255.255.255.252 (public IP for upload)
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
no keepalive
no fair-queue
ignore dcd
down-when-looped
no cdp enable
!
interface Vlan1
description VLAN 0/0/0
ip address 192.168.1.1 255.255.255.224
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip flow-top-talkers
top 20
sort-by bytes
cache-timeout 3600
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface FastEthernet0/0 overload
ip nat inside source list 3 interface FastEthernet0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.31
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.2.0 0.0.0.127
snmp-server community telecel-vision RO
snmp-server location Telecel Burundi
snmp-server contact Aime Rukohoza
snmp-server host 192.168.0.77 v1sion
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end

aimeruko

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Dial Up Problem	smackedass	A+ Certification	3	02-02-2007 11:59 PM
Re: Virus Problem Help!	David BlandIII	A+ Certification	1	03-02-2004 06:00 PM
Pioneer DVR3100S problem with Satellite receiver Samsung DCR 9500	Fredrik Bengtsson	DVD Video	0	12-12-2003 02:32 PM
Re: Serious Computer Problem	hootnholler	A+ Certification	1	11-24-2003 12:18 PM
Re: Serious Computer Problem	Bret	A+ Certification	0	11-19-2003 12:51 AM

09-27-2006, 08:10 AM	#1
	Pix506e behind Cisco1841 VPN problem Dear, I have a Pix506e behind the cisco1841, the public ip is configure on the f0/0 of the cisco1841, i have a VPN (PPTP) that is configure on my PIX. How can allow outside people to connect by VPN inside my private Lan that is behind the PIX. Please help! Here my config PIX506E PIX 503e Building configuration... : Saved : PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password Bs.EboZEq5PmUtlZ encrypted passwd Bs.EboZEq5PmUtlZ encrypted hostname telcel domain-name telecel.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list access-in permit tcp any interface outside eq 14000 access-list access-in permit udp any interface outside eq 14000 access-list access-in permit tcp any interface outside eq 32 access-list access-in permit icmp any any access-list access-in permit tcp any host 217.194.xx.xx eq smtp access-list access-in permit tcp any host 217.194.xx.xx eq 3389 access-list access-in permit tcp host 210.210.1.65 host 217.194.xx.xx eq ftp access-list access-in permit tcp host 210.210.1.63 host 217.194.xx.xx eq ftp access-list NO-NAT permit ip any 172.16.1.0 255.255.255.0 access-list worms deny udp any any eq tftp access-list worms deny tcp any any eq 135 access-list worms deny udp any any eq 135 access-list worms deny udp any any eq netbios-ns access-list worms deny udp any any eq netbios-dgm access-list worms deny tcp any any eq netbios-ssn access-list worms deny udp any any eq 139 access-list worms deny tcp any any eq 445 access-list worms deny tcp any any eq 593 access-list worms deny tcp any any eq 4444 access-list worms permit ip any any pager lines 24 logging on logging buffered debugging mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.1 255.255.255.128 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool SMSC 172.16.1.1-172.16.1.16 pdm location 192.168.0.4 255.255.255.255 inside pdm location 192.168.0.48 255.255.255.255 inside pdm location 192.168.0.77 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list NO-NAT nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 217.194.xx.xx www 192.168.0.4 www netmask 255.255.255.255 0 0 static (inside,outside) tcp 217.194.xx.xx smtp 192.168.0.4 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp 217.194.xx.xx 3389 192.168.0.4 3389 netmask 255.255.255.255 0 0 access-group access-in in interface outside access-group worms in interface inside route outside 0.0.0.0 0.0.0.0 192.168.2.1 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 192.168.0.0 255.255.255.0 inside snmp-server host inside 192.168.0.48 snmp-server host inside 192.168.0.77 no snmp-server location no snmp-server contact snmp-server community snmpt3l3c snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp telnet 192.168.0.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group smsc accept dialin pptp vpdn group smsc ppp authentication pap vpdn group smsc ppp authentication chap vpdn group smsc client configuration address local SMSC vpdn group smsc pptp echo 60 vpdn group smsc client authentication local vpdn username smsc password ********* vpdn enable outside dhcpd lease 3600 dhcpd ping_timeout 750 username aaaa password vvvv encrypted privilege 15 terminal width 80 Cryptochecksum:7d2e1c2c9d3cbcb50548ba68c0979267 : end Cisco 1841 !This is the running config of the router: 217.194.xx.xx (public IP) !---------------------------------------------------------------------------- !version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Telecel ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings ! no aaa new-model ! resource policy ! ip cef ! ! ! ! ip domain name yourdomain.com ip name-server 217.194.158.30 ip name-server 217.194.129.30 username zzzz privilege 15 secret 5 ! ! ! interface FastEthernet0/0 description LAN$ETH-LAN$ ip address 217.194.xx.xx 255.255.255.248 ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside duplex auto speed auto ! interface FastEthernet0/1 description Inside to PIX$ETH-LAN$ ip address 192.168.2.2 255.255.255.128 ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside duplex auto speed auto ! interface FastEthernet0/0/0 description Network 1 ! interface FastEthernet0/0/1 description Network 2 ! interface FastEthernet0/0/2 description Network 3 ! interface FastEthernet0/0/3 description Network 4 ! interface Serial0/1/0 description Connection to SkyVision ip address 217.194.yy.yy 255.255.255.252 (public IP for upload) ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside no keepalive no fair-queue ignore dcd down-when-looped no cdp enable ! interface Vlan1 description VLAN 0/0/0 ip address 192.168.1.1 255.255.255.224 ip nat inside ! ip route 0.0.0.0 0.0.0.0 Serial0/1/0 ip flow-top-talkers top 20 sort-by bytes cache-timeout 3600 ! ip http server ip http access-class 23 ip http authentication local ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 2 interface FastEthernet0/0 overload ip nat inside source list 3 interface FastEthernet0/0 overload ! access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 2 remark SDM_ACL Category=2 access-list 2 permit 192.168.1.0 0.0.0.31 access-list 3 remark SDM_ACL Category=2 access-list 3 permit 192.168.2.0 0.0.0.127 snmp-server community telecel-vision RO snmp-server location Telecel Burundi snmp-server contact Aime Rukohoza snmp-server host 192.168.0.77 v1sion ! control-plane ! ! line con 0 login local line aux 0 line vty 0 4 privilege level 15 login local transport input telnet line vty 5 15 privilege level 15 login local transport input telnet ! scheduler allocate 20000 1000 end aimeruko