Assistance with PIX 501 (6.3) and VPN thru PAT

Discussion in 'Cisco' started by B Creed, Jul 15, 2003.

  1. B Creed

    B Creed Guest

    I would greatly appreciate it if any one could offer up any config
    examples or suggestions for configuring a PIX 501 running OS 6.3 to
    allow a MS VPN client to connect through it with pptp to the server on
    the other side. ie:
    (Public IPs have been changed)

    Win2k Client--------inet---->PIX------------->Win2k Server
    Dynamic IP o: 3.3.3.5 192.168.1.10
    i: 192.168.1.1

    Authentication is currently set to local, though I was messing around
    with MS ISA and Radius earlier. Thanks a million in advance!

    B. Creed
    =====================================================================
    Here's the majority of the current config running on the PIX:
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 192.168.1.10 ccc-server
    access-list outside_access_in permit tcp any host 3.3.3.5 eq pptp
    access-list outside_access_in permit gre any host 3.3.3.5
    access-list outside_access_in permit tcp host 3.3.3.5 eq pptp host
    3.3.3.5
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit tcp host 3.3.3.5 eq https host
    3.3.3.5 eq https
    access-list outside_access_in permit tcp host 3.3.3.5 eq ldap host
    3.3.3.5 eq ldap
    access-list outside_access_in permit tcp any host 3.3.3.5 eq telnet
    access-list outside_access_in permit tcp any host 3.3.3.5 eq
    pcanywhere-data
    access-list outside_access_in permit tcp any host 3.3.3.5 eq 5632
    access-list outside_access_in permit tcp any host 3.3.3.5 eq www
    access-list outside_access_in permit tcp any host 3.3.3.5 eq ftp
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside 3.3.3.5 255.255.255.128
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-pool 192.168.0.1-192.168.0.254
    pdm location 192.168.1.96 255.255.255.224 outside
    pdm location 3.3.3.0 255.255.255.0 outside
    pdm location ccc-server 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface pcanywhere-data ccc-server
    pcanywhere-data netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5632 ccc-server 5632 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface pptp ccc-server pptp netmask
    255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 3.3.3.4 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server AuthInbound protocol radius
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username sostech password papag0
    vpdn username carol password boomer
    vpdn enable outside
    dhcpd auto_config outside
    B Creed, Jul 15, 2003
    #1
    1. Advertising

  2. B Creed

    B Creed Guest

    Is not one of the features of 6.3 the PPTP procotol fixup? I was under
    the impression that that was to fix the problem with PAT and GRE
    because it would automatically handle all the xlates. Strangely
    enough, the router config listed actually does work (I find it
    confusing myself) and was copied off a PIX 506 with working pptp VPN
    support (albeit thru NAT). I think I may just give up and get a 2nd
    static IP for the client though... heh

    B Creed
    B Creed, Jul 18, 2003
    #2
    1. Advertising

  3. In article <>,
    B Creed <> wrote:
    :Is not one of the features of 6.3 the PPTP procotol fixup? I was under
    :the impression that that was to fix the problem with PAT and GRE
    :because it would automatically handle all the xlates.

    Yes, you are correct. I had missed that, not having had reason to pay
    attention to the details of PPTP.

    However according to the PIX 6.3 Command Reference,

    Specifically, the firewall inspects the PPTP version announcements
    and the outgoing call request/response sequence. Only PPTP Version
    1, as defined in RFC 2637, is inspected. Further inspection on the
    TCP control channel is disabled if the version announced by either
    side is not Version 1. In addition, the outgoing-call request and
    reply sequence are tracked. Connections and/or xlates are dynamic
    allocated as necessary to permit subsequent secondary GRE data
    traffic.

    Thus, the access-list entry permiting GRE that you had against the
    outside interface will have any function. Adaptive Security would
    create whatever pinholes are needed, and would automatically create them
    to the proper IP addresses.


    :Strangely
    :enough, the router config listed actually does work (I find it
    :confusing myself) and was copied off a PIX 506 with working pptp VPN
    :support (albeit thru NAT).

    There is a noticable difference between what can be done with NAT
    and what can be done with PAT.
    --
    Usenet is one of those "Good News/Bad News" comedy routines.
    Walter Roberson, Jul 18, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Odhammar

    PIX VPN-VPN thru same interface

    Odhammar, Nov 4, 2003, in forum: Cisco
    Replies:
    9
    Views:
    584
    Walter Roberson
    Nov 6, 2003
  2. Alex

    PIX 501 and inbound NAT/PAT

    Alex, Aug 10, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,083
  3. Merv
    Replies:
    1
    Views:
    1,745
  4. BinSur
    Replies:
    4
    Views:
    5,770
    BinSur
    Jan 13, 2006
  5. Replies:
    21
    Views:
    1,434
    Shauna
    Aug 26, 2008
Loading...

Share This Page