outbound VPN access through PIX with fixup pptp

Discussion in 'Cisco' started by darkcape@yahoo.com, Mar 2, 2007.

  1. Guest

    I am having problems connecting to a client's site using windows VPN
    through a cisco PIX 506e.

    After some searching I found that I should have configured the
    following which I have:
    fixup protocol pptp 1723
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    global (outside) 1 interface

    from:
    http://www.cisco.com/warp/public/110/pix_pptp.html#ver63

    If I use a pix 501 with basic settings (below "simple") I have no
    problems connecting:

    how ever If I use the live inherited 506e (below "detailed" same
    version 6.3(5)) windows XP fails with a 800 error almost immediately.
    outside vpn can be pinged though. Can someone point out what I have on
    the 506e that is in the wrong place or shouldn't be there or if my vpn
    rules to other offices are causing the issue.

    ---- simple 501 -----
    ciscopix# wr t
    Building configuration...
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password X encrypted
    passwd X encrypted
    hostname ciscopix
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723 <-- cisco suggested
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit gre any any
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit udp any any
    access-list inside_access_in permit icmp any any
    access-list outside_access_in permit icmp any any
    access-list outside_access_in deny ip any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside (ip address and mask)
    ip address inside 192.168.12.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface <-- cisco suggested
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0 <-- cisco suggested
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 (external gateway) 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.12.0 255.255.255.0 inside
    floodguard enable
    telnet 192.168.12.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.12.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.12.100-192.168.12.131 inside
    dhcpd dns (dns servers)
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    : end

    --- detailed 506e ---

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password x encrypted
    passwd x encrypted
    hostname (pix 506e)
    domain-name (domain name)
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723 <-- cisco suggested
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.4.19 (inside server)
    -- a other names left out here for brevity --
    access-list (other vpn)_splitTunnelAcl permit ip 192.168.4.0
    255.255.255.0 (ipaddress) 255.255.255.0
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit icmp any any
    access-list inside_access_in permit gre any any
    access-list outside_access_in permit tcp any any eq www
    access-list outside_access_in permit tcp any any eq https
    access-list outside_access_in permit tcp any any eq pop3
    access-list outside_access_in permit tcp host (off site no vpn user
    lots of these) any eq smtp
    access-list outside_access_in permit icmp any any
    access-list outside_access_in deny ip any any
    access-list 100 permit ip 192.168.4.0 255.255.255.0 (ipaddress)
    255.255.255.0
    access-list 100 permit ip 192.168.4.0 255.255.255.0 (offsite vpn)
    255.255.255.0
    access-list 110 permit ip 192.168.4.0 255.255.255.0 (offsite vpn)
    255.255.255.0
    access-list capin permit ip host 192.168.4.155 host (inside server)
    access-list capin permit ip host (external ip) host 192.168.4.155
    access-list capin permit ip host (inside server) host 192.168.4.155
    access-list capin permit ip host 192.168.4.155 host (external ip)
    pager lines 1000
    logging on
    logging history informational
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside (external ip) 255.255.255.248
    ip address inside 192.168.4.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnrange 172.16.80.10-172.16.80.50
    pdm location (inside server) 255.255.255.255 inside
    --- lots of pdm locations that I need to remove ---
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface <-- cisco suggested
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0 <-- cisco suggested
    static (inside,outside) tcp interface www (inside server) www dns
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface https (inside server) https dns
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface smtp (inside server) smtp dns
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface pop3 (inside server) pop3 dns
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 995 (inside server) 995 dns
    netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 (external gateway) 1
    route inside ISApool 255.255.255.0 192.168.4.X 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol radius
    aaa-server partnerauth max-failed-attempts 3
    aaa-server partnerauth deadtime 10
    aaa-server partnerauth (inside) host (host and password) timeout 10
    http server enable
    http 192.168.4.0 255.255.255.0 inside
    snmp-server location (city)
    snmp-server contact (name)
    snmp-server community (city)
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set esp-3des-md5
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 110
    crypto map newmap 10 set peer (other office ip)
    crypto map newmap 10 set transform-set esp-3des-md5
    crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ******** address (office to office-vpn) netmask
    255.255.255.255 no-xauth no-config-mode
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup (other vpn) address-pool vpnrange
    vpngroup (other vpn) dns-server (inside dns)
    vpngroup (other vpn) default-domain (domain)
    vpngroup (other vpn) split-tunnel (other vpn)_splitTunnelAcl
    vpngroup (other vpn) idle-time 7200
    telnet 192.168.4.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 60
    management-access inside
    console timeout 0
    dhcpd address 192.168.4.129-192.168.4.199 inside
    dhcpd dns (inside server) (other inside server)
    dhcpd wins (inside server) (other inside server)
    dhcpd lease 14400
    dhcpd ping_timeout 750
    dhcpd domain (domain)
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    : end
    [OK]
    , Mar 2, 2007
    #1
    1. Advertising

  2. Guest

    I was able to get this resolved using the following commands:
    access-list outside_access_in permit tcp any any eq pptp
    static (inside,outside) tcp interface 47 (client vpn site) 47 netmask
    255.255.255.255 0 0

    that allowed the connection to work. however terminal services we
    failing but I believe that to be a completely different issue
    , Mar 2, 2007
    #2
    1. Advertising

  3. In article <>,
    <> wrote:
    >I was able to get this resolved using the following commands:
    >access-list outside_access_in permit tcp any any eq pptp
    >static (inside,outside) tcp interface 47 (client vpn site) 47 netmask
    >255.255.255.255 0 0


    Sounds suspicious to me. PPTP doesn't use TCP port 47: PPTP uses
    IP *protocol* 47 (GRE). GRE is on the same level as TCP and UDP in
    the IP hierarchy, not a TCP port. And the PIX doesn't offer any
    'static' command to static GRE.
    >
    Walter Roberson, Mar 3, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alex
    Replies:
    3
    Views:
    839
    Guest
    May 12, 2004
  2. Tom
    Replies:
    4
    Views:
    652
  3. gencode

    Outbound VPN through a Pix 501

    gencode, May 2, 2005, in forum: Cisco
    Replies:
    1
    Views:
    634
    Walter Roberson
    May 2, 2005
  4. James B. Wood
    Replies:
    7
    Views:
    8,475
    keshav
    Jun 25, 2006
  5. Replies:
    0
    Views:
    521
Loading...

Share This Page