Pix Firewall

Discussion in 'Cisco' started by Wim Heijboer, Jul 10, 2003.

  1. Wim Heijboer

    Wim Heijboer Guest

    There is this pix firewall (501), and i want to pptp to a server
    behind that firewall.
    i found an example configuration at the cisco website:


    In this configuration example, the PPTP server is 209.165.201.5
    (static to 10.48.66.106 inside), and the PPTP client is at
    209.165.201.25.

    access-list acl-out permit gre host 209.165.201.25 host 209.165.201.5
    access-list acl-out permit tcp host 209.165.201.25 host 209.165.201.5
    eq 1723
    static (inside,outside) 209.165.201.5 10.48.66.106 netmask
    255.255.255.255 0 0
    access-group acl-out in interface outside

    In this description a static route is made:

    static (inside,outside) 209.165.201.5 10.48.66.106 netmask
    255.255.255.255 0 0
    If I add this routing, all the clients (inside) are not able to use
    Internet.

    HOW can i enable pptp without having all clients without internet??

    PLEASE help us.



    RUNNING CONFIG OF THE CISCO PIX FIREWALL (sorry, i removed the
    external ip adress and domain and server name for security reasons....
    )


    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 7q3nzmVclyc6NvU3 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name <domainname.com>
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sip 5060
    fixup protocol skinny 2000
    no fixup protocol sqlnet 1521
    names
    name xx.xxx.xxx.xx vdenl
    name xx.xxx.xxx.xx conf
    name xx.xxx.xxx.xx server
    object-group network vdenl
    network-object vdenl 255.255.0.0
    object-group network conf
    network-object conf 255.255.255.0
    access-list inside_access_in permit tcp object-group vdenl any eq
    https
    access-list inside_access_in permit tcp object-group vdenl any eq www
    access-list inside_access_in permit udp object-group vdenl any eq
    domain
    access-list inside_access_in permit tcp object-group vdenl any eq pop3
    access-list inside_access_in permit tcp object-group vdenl any eq smtp
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit tcp any host xx.xxx.xxx.xx eq 3389
    access-list inside_access_in permit tcp object-group vdenl any eq 1723
    access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    smtp
    access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq www
    access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    https
    access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    3389
    access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    1723
    access-list outside_access_in permit udp any host xx.xxx.xxx.xx eq 17
    access-list outside_access_in permit udp any host xx.xxx.xxx.xx eq
    1701
    access-list outside_access_in permit udp any host xx.xxx.xxx.xx eq
    isakmp
    pager lines 24
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 129.2.1.1 255.255.0.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location xx.xxx.xxx.xx 255.255.255.248 outside
    pdm location vdenl 255.255.0.0 inside
    pdm location conf 255.255.255.0 inside
    pdm location xx.xxx.xxx.xx 255.255.255.255 outside
    pdm location A-Server-Instance 255.255.255.255 inside
    pdm group vdenl inside
    pdm group conf inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp xx.xxx.xxx.xx www A-Server-Instance www
    netmask 255.255.
    255.255 0 0
    static (inside,outside) tcp xx.xxx.xxx.xx smtp A-Server-Instance smtp
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) tcp xx.xxx.xxx.xx https A-Server-Instance
    https netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp xx.xxx.xxx.xx 3389 A-Server-Instance 3389
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) tcp xx.xxx.xxx.xx 1723 A-Server-Instance 1723
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) udp xx.xxx.xxx.xx 17 A-Server-Instance 17
    netmask 255.255.25
    5.255 0 0
    static (inside,outside) udp xx.xxx.xxx.xx 1701 A-Server-Instance 1701
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) udp xx.xxx.xxx.xx isakmp A-Server-Instance
    isakmp netmask 25
    5.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    http server enable
    http xx.xxx.xxx.xx 255.255.255.248 outside
    http conf 255.255.255.0 inside
    http vdenl 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt noproxyarp outside
    sysopt noproxyarp inside
    no sysopt route dnat
    telnet xx.xxx.xxx.xx 255.255.255.248 outside
    telnet conf 255.255.255.0 inside
    telnet vdenl 255.255.0.0 inside
    telnet timeout 5
    ssh xx.xxx.xxx.xx 255.255.255.248 outside
    ssh conf 255.255.255.0 inside
    ssh vdenl 255.255.0.0 inside
    ssh timeout 5
    dhcpd address 129.2.1.100-129.2.1.131 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    username michielt password <a-encrypted-password> encrypted privilege
    15
    username beheer password <a-encrypted-password> encrypted privilege 15
    privilege show level 0 command version
    privilege show level 0 command curpriv
    privilege show level 3 command pdm
    privilege show level 3 command blocks
    privilege show level 3 command ssh
    privilege configure level 3 command who
    privilege show level 3 command isakmp
    privilege show level 3 command ipsec
    privilege show level 3 command vpdn
    privilege show level 3 command local-host
    privilege show level 3 command interface
    privilege show level 3 command ip
    privilege configure level 3 command ping
    privilege configure level 5 mode enable command configure
    privilege show level 5 command running-config
    privilege show level 5 command privilege
    privilege show level 5 command clock
    privilege show level 5 command ntp
    terminal width 80
    Cryptochecksum:356937e58f6e9fb2c03710f77784e2fb
     
    Wim Heijboer, Jul 10, 2003
    #1
    1. Advertising

  2. On Thu, 10 Jul 2003 15:15:35 +0300, "Jyri Korhonen"
    <> wrote:

    >"Wim Heijboer" <> wrote:
    >
    >> There is this pix firewall (501), and i want to pptp to
    >> a server behind that firewall.
    >>
    >> global (outside) 1 interface
    >> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    >
    >As far as I know, you can't do that. If you have only one
    >global IP address and you are using it for PAT (Port Address
    >Translation), then you can only use protocols with ports.
    >You can't use portless protocols like GRE, ESP, AH etc.
    >
    >However you can create a PPTP or a VPN connection to the Pix
    >and access the server through the Pix. See the Pix manual
    >for commands:
    >
    > vpdn
    > vpngroup


    Is there a difference in 'from the pix' and 'to the pix' in this
    instance?? Ie it's your pix but the vpn goes to a client's network.
     
    Steve Holdoway, Jul 10, 2003
    #2
    1. Advertising

  3. If I read your post correctly, you're wanting to allow clients on the PIX
    outside interface to connect to a server attached to the PIX inside
    interface.

    I believe that the PPTP connection process initializes the GRE tunneling
    from the recipient-side (server in the case of a dial-in). Since established
    traffic is allowed through the firewall, you should be able to make the
    static translation port-specific. Once the server authenticates the client,
    it will establish a GRE from inside the firewall.

    The configuration example that you have used from Cisco's site addresses the
    opposite scenario, where a client is inside the firewall trying to connect
    to an external server.

    Try this statement -- "static (inside,outside) tcp interface 1723
    <internal_server_address> 1723 netmask 255.255.255.255 0 0"

    Michael

    PS: From the looks of your config, all you need to do is add your GRE
    statement to "outside_access_in."


    "Wim Heijboer" <> wrote in message
    news:...
    > There is this pix firewall (501), and i want to pptp to a server
    > behind that firewall.
    > i found an example configuration at the cisco website:
    >
    >
    > In this configuration example, the PPTP server is 209.165.201.5
    > (static to 10.48.66.106 inside), and the PPTP client is at
    > 209.165.201.25.
    >
    > access-list acl-out permit gre host 209.165.201.25 host 209.165.201.5
    > access-list acl-out permit tcp host 209.165.201.25 host 209.165.201.5
    > eq 1723
    > static (inside,outside) 209.165.201.5 10.48.66.106 netmask
    > 255.255.255.255 0 0
    > access-group acl-out in interface outside
    >
    > In this description a static route is made:
    >
    > static (inside,outside) 209.165.201.5 10.48.66.106 netmask
    > 255.255.255.255 0 0
    > If I add this routing, all the clients (inside) are not able to use
    > Internet.
    >
    > HOW can i enable pptp without having all clients without internet??
    >
    > PLEASE help us.
    >
    >
    >
    > RUNNING CONFIG OF THE CISCO PIX FIREWALL (sorry, i removed the
    > external ip adress and domain and server name for security reasons....
    > )
    >
    >
    > PIX Version 6.2(2)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 7q3nzmVclyc6NvU3 encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname pixfirewall
    > domain-name <domainname.com>
    > clock timezone CEST 1
    > clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > no fixup protocol sqlnet 1521
    > names
    > name xx.xxx.xxx.xx vdenl
    > name xx.xxx.xxx.xx conf
    > name xx.xxx.xxx.xx server
    > object-group network vdenl
    > network-object vdenl 255.255.0.0
    > object-group network conf
    > network-object conf 255.255.255.0
    > access-list inside_access_in permit tcp object-group vdenl any eq
    > https
    > access-list inside_access_in permit tcp object-group vdenl any eq www
    > access-list inside_access_in permit udp object-group vdenl any eq
    > domain
    > access-list inside_access_in permit tcp object-group vdenl any eq pop3
    > access-list inside_access_in permit tcp object-group vdenl any eq smtp
    > access-list inside_access_in permit ip any any
    > access-list inside_access_in permit tcp any host xx.xxx.xxx.xx eq 3389
    > access-list inside_access_in permit tcp object-group vdenl any eq 1723
    > access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    > smtp
    > access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq www
    > access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    > https
    > access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    > 3389
    > access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    > 1723
    > access-list outside_access_in permit udp any host xx.xxx.xxx.xx eq 17
    > access-list outside_access_in permit udp any host xx.xxx.xxx.xx eq
    > 1701
    > access-list outside_access_in permit udp any host xx.xxx.xxx.xx eq
    > isakmp
    > pager lines 24
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside dhcp setroute
    > ip address inside 129.2.1.1 255.255.0.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location xx.xxx.xxx.xx 255.255.255.248 outside
    > pdm location vdenl 255.255.0.0 inside
    > pdm location conf 255.255.255.0 inside
    > pdm location xx.xxx.xxx.xx 255.255.255.255 outside
    > pdm location A-Server-Instance 255.255.255.255 inside
    > pdm group vdenl inside
    > pdm group conf inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp xx.xxx.xxx.xx www A-Server-Instance www
    > netmask 255.255.
    > 255.255 0 0
    > static (inside,outside) tcp xx.xxx.xxx.xx smtp A-Server-Instance smtp
    > netmask 255.25
    > 5.255.255 0 0
    > static (inside,outside) tcp xx.xxx.xxx.xx https A-Server-Instance
    > https netmask 255.
    > 255.255.255 0 0
    > static (inside,outside) tcp xx.xxx.xxx.xx 3389 A-Server-Instance 3389
    > netmask 255.25
    > 5.255.255 0 0
    > static (inside,outside) tcp xx.xxx.xxx.xx 1723 A-Server-Instance 1723
    > netmask 255.25
    > 5.255.255 0 0
    > static (inside,outside) udp xx.xxx.xxx.xx 17 A-Server-Instance 17
    > netmask 255.255.25
    > 5.255 0 0
    > static (inside,outside) udp xx.xxx.xxx.xx 1701 A-Server-Instance 1701
    > netmask 255.25
    > 5.255.255 0 0
    > static (inside,outside) udp xx.xxx.xxx.xx isakmp A-Server-Instance
    > isakmp netmask 25
    > 5.255.255.255 0 0
    > access-group outside_access_in in interface outside
    > access-group inside_access_in in interface inside
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 si
    > p 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > aaa authentication serial console LOCAL
    > aaa authentication ssh console LOCAL
    > aaa authentication telnet console LOCAL
    > aaa authorization command LOCAL
    > http server enable
    > http xx.xxx.xxx.xx 255.255.255.248 outside
    > http conf 255.255.255.0 inside
    > http vdenl 255.255.0.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt noproxyarp outside
    > sysopt noproxyarp inside
    > no sysopt route dnat
    > telnet xx.xxx.xxx.xx 255.255.255.248 outside
    > telnet conf 255.255.255.0 inside
    > telnet vdenl 255.255.0.0 inside
    > telnet timeout 5
    > ssh xx.xxx.xxx.xx 255.255.255.248 outside
    > ssh conf 255.255.255.0 inside
    > ssh vdenl 255.255.0.0 inside
    > ssh timeout 5
    > dhcpd address 129.2.1.100-129.2.1.131 inside
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > username michielt password <a-encrypted-password> encrypted privilege
    > 15
    > username beheer password <a-encrypted-password> encrypted privilege 15
    > privilege show level 0 command version
    > privilege show level 0 command curpriv
    > privilege show level 3 command pdm
    > privilege show level 3 command blocks
    > privilege show level 3 command ssh
    > privilege configure level 3 command who
    > privilege show level 3 command isakmp
    > privilege show level 3 command ipsec
    > privilege show level 3 command vpdn
    > privilege show level 3 command local-host
    > privilege show level 3 command interface
    > privilege show level 3 command ip
    > privilege configure level 3 command ping
    > privilege configure level 5 mode enable command configure
    > privilege show level 5 command running-config
    > privilege show level 5 command privilege
    > privilege show level 5 command clock
    > privilege show level 5 command ntp
    > terminal width 80
    > Cryptochecksum:356937e58f6e9fb2c03710f77784e2fb
     
    Michael T. Hall, Jul 11, 2003
    #3
  4. Wim Heijboer

    Wim Heijboer Guest

    Thank u, i have installed PIX 6.3 and did a fixup protocol for pptp and it works

    regards,

    Wim Heijboer




    "Jyri Korhonen" <> wrote in message news:<xMcPa.181$>...
    > "Wim Heijboer" <> wrote:
    >
    > > There is this pix firewall (501), and i want to pptp to
    > > a server behind that firewall.
    > >
    > > global (outside) 1 interface
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    >
    > As far as I know, you can't do that. If you have only one
    > global IP address and you are using it for PAT (Port Address
    > Translation), then you can only use protocols with ports.
    > You can't use portless protocols like GRE, ESP, AH etc.
    >
    > However you can create a PPTP or a VPN connection to the Pix
    > and access the server through the Pix. See the Pix manual
    > for commands:
    >
    > vpdn
    > vpngroup
     
    Wim Heijboer, Jul 11, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil
    Replies:
    1
    Views:
    2,152
    Walter Roberson
    Dec 11, 2004
  2. Replies:
    1
    Views:
    565
    Walter Roberson
    Jun 14, 2005
  3. Learning Cisco
    Replies:
    3
    Views:
    2,286
    Walter Roberson
    Oct 15, 2005
  4. Mark Wilson

    Firewall and Norton Firewall

    Mark Wilson, Nov 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    532
    Mark Wilson
    Nov 5, 2003
  5. DarkoN
    Replies:
    0
    Views:
    745
    DarkoN
    Oct 10, 2006
Loading...

Share This Page