PPTP Pass Through Problems

Discussion in 'Cisco' started by paul tomlinson, Nov 7, 2003.

  1. Hi guys have a Cisco PIX configured to work with my leased line , also
    am lucky enough to have 254 useable IP addresses (don't think i need
    for this solution but thought i should mention) I am trying to
    configure the PIX to send any smtp and pptp traffic destined to
    a.a.a.a to the local smtp server 172.17.135.100, that way i can
    authenticate my remote users with my windows 2000 server instead of
    authenticating to the PIX, I have an exchange server sitting on same
    IP i am using for PPTP.

    Two problems, neither the port 25 mapping or the VPN connection seem
    to work, when i try to telnet the ports just closes straight away -
    this points to the access-lists / pix config - If i telnet from the
    local LAN i get a response on 25 and the screens sits there on 1723
    (as expected)

    Any chance you guys could have a look through and put me in the right
    direction , i am running IOS 6.3(1)


    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    access-list out-acl permit icmp any any echo-reply
    access-list out-acl permit icmp any any unreachable
    access-list out-acl permit icmp any any time-exceeded
    access-list out-acl permit icmp any any source-quench
    access-list out-acl permit icmp any any parameter-problem
    access-list out-acl permit tcp any any eq ssh
    access-list out-acl permit tcp any any eq pop3
    access-list out-acl permit gre host a.a.a.a any
    access-list out-acl permit tcp host a.a.a.a any eq pptp
    access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq www
    access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq https
    access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq smtp
    access-list acl100 permit icmp 172.17.135.0 255.255.255.0 any
    access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq domain
    access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq domain
    access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq ntp
    access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq ssh
    access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq telnet
    access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq pop3
    access-list acl100 permit tcp any any eq ssh
    access-list acl100 permit tcp 172.17.135.0 255.255.255.0 192.168.1.0
    255.255.255.0
    access-list acl100 permit udp 172.17.135.0 255.255.255.0 192.168.1.0
    255.255.255.0
    access-list acl100 permit icmp 172.17.135.0 255.255.255.0 192.168.1.0
    255.255.255.0
    access-list acl100 permit tcp any any eq smtp
    access-list 101 permit ip 172.17.135.0 255.255.255.0 172.17.150.0
    255.255.255.0
    pager lines 24
    logging console debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside b.b.b.b 255.255.255.0
    ip address inside 172.17.135.230 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-pool 172.17.150.230-172.17.150.240
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) a.a.a.a 172.17.135.100 netmask 255.255.255.255
    0 0
    access-group out-acl in interface outside
    access-group acl100 in interface inside
    route outside 0.0.0.0 0.0.0.0 c.c.c.c 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    telnet 0.0.0.0 0.0.0.0 inside
    telnet 172.17.135.0 255.255.255.0 inside
    telnet timeout 25
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 25
    console timeout 0
    dhcpd ping_timeout 750
    terminal width 80
    paul tomlinson, Nov 7, 2003
    #1
    1. Advertising

  2. In article <>,
    paul tomlinson <> wrote:
    : I am trying to
    :configure the PIX to send any smtp and pptp traffic destined to
    :a.a.a.a to the local smtp server 172.17.135.100,

    :Two problems, neither the port 25 mapping or the VPN connection seem
    :to work, when i try to telnet the ports just closes straight away -

    :i am running IOS 6.3(1)

    :access-list out-acl permit icmp any any echo-reply
    :access-list out-acl permit icmp any any unreachable
    :access-list out-acl permit icmp any any time-exceeded
    :access-list out-acl permit icmp any any source-quench
    :access-list out-acl permit icmp any any parameter-problem
    :access-list out-acl permit tcp any any eq ssh
    :access-list out-acl permit tcp any any eq pop3
    :access-list out-acl permit gre host a.a.a.a any
    :access-list out-acl permit tcp host a.a.a.a any eq pptp

    Your out-acl, which you apply against the outside interface,
    isn't permitting smtp in to a.a.a.a.

    :sysopt connection permit-pptp

    That applies only to pptp traffic that terminates at the PIX.

    :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq www
    :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq https
    :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq smtp
    :access-list acl100 permit icmp 172.17.135.0 255.255.255.0 any
    :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq domain
    :access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq domain
    :access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq ntp
    :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq ssh
    :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq telnet
    :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq pop3
    :access-list acl100 permit tcp any any eq ssh
    :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 192.168.1.0
    :255.255.255.0
    :access-list acl100 permit udp 172.17.135.0 255.255.255.0 192.168.1.0
    :255.255.255.0
    :access-list acl100 permit icmp 172.17.135.0 255.255.255.0 192.168.1.0
    :255.255.255.0
    :access-list acl100 permit tcp any any eq smtp

    You have acl100 applied against the inside interface. You do not,
    though, permit out gre traffic. I am not sure whether that is
    important: I don't know whether adaptive security would automatically
    permit the return traffic or not.

    :access-list 101 permit ip 172.17.135.0 255.255.255.0 172.17.150.0 255.255.255.0
    :ip address inside 172.17.135.230 255.255.255.0
    :ip local pool pptp-pool 172.17.150.230-172.17.150.240
    :nat (inside) 0 access-list 101
    :static (inside,outside) a.a.a.a 172.17.135.100 netmask 255.255.255.255 0 0

    If you are telneting to a.a.a.a then you are doing so outside
    of the pptp tunnel and you have to permit the smtp inward as previously
    noted.

    To telnet to the smtp port inside of the pptp tunnel that you
    are passing through the PIX, you would have to telnet to the
    inside address, 172.17.135.100, because you've exempted that
    connection from translation by using the nat 0 access-list .
    --
    What is "The Ultimate Meme"? Would it, like Monty Python's
    "The World's Funniest Joke", lead to the deaths of everyone who
    encountered it? Ideas *have* lead to the destruction of entire cultures.
    -- A Child's Garden Of Memes
    Walter Roberson, Nov 7, 2003
    #2
    1. Advertising

  3. Walter thanks for your help on this one i've made the following
    changes

    access-list out-acl permit tcp host a.a.a.a any eq 25
    no sysopt connection permit-pptp
    access-list acl100 permit gre any any

    When telnetting i'm telnetting to the outside IP a.a.a.a as i am
    trying to configure an exchange server with an SMTP feed behind the
    PIX, on the IP seperate IP, if i am wasting my time and you think it
    would be easier to just use port 25 off the NAT'd IP or even off the
    PIX firewall IP then let me know

    Thanks again for your help - really appreciated


    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bogn79$11k$>...
    > In article <>,
    > paul tomlinson <> wrote:
    > : I am trying to
    > :configure the PIX to send any smtp and pptp traffic destined to
    > :a.a.a.a to the local smtp server 172.17.135.100,
    >
    > :Two problems, neither the port 25 mapping or the VPN connection seem
    > :to work, when i try to telnet the ports just closes straight away -
    >
    > :i am running IOS 6.3(1)
    >
    > :access-list out-acl permit icmp any any echo-reply
    > :access-list out-acl permit icmp any any unreachable
    > :access-list out-acl permit icmp any any time-exceeded
    > :access-list out-acl permit icmp any any source-quench
    > :access-list out-acl permit icmp any any parameter-problem
    > :access-list out-acl permit tcp any any eq ssh
    > :access-list out-acl permit tcp any any eq pop3
    > :access-list out-acl permit gre host a.a.a.a any
    > :access-list out-acl permit tcp host a.a.a.a any eq pptp
    >
    > Your out-acl, which you apply against the outside interface,
    > isn't permitting smtp in to a.a.a.a.
    >
    > :sysopt connection permit-pptp
    >
    > That applies only to pptp traffic that terminates at the PIX.
    >
    > :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq www
    > :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq https
    > :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq smtp
    > :access-list acl100 permit icmp 172.17.135.0 255.255.255.0 any
    > :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq domain
    > :access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq domain
    > :access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq ntp
    > :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq ssh
    > :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq telnet
    > :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq pop3
    > :access-list acl100 permit tcp any any eq ssh
    > :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 192.168.1.0
    > :255.255.255.0
    > :access-list acl100 permit udp 172.17.135.0 255.255.255.0 192.168.1.0
    > :255.255.255.0
    > :access-list acl100 permit icmp 172.17.135.0 255.255.255.0 192.168.1.0
    > :255.255.255.0
    > :access-list acl100 permit tcp any any eq smtp
    >
    > You have acl100 applied against the inside interface. You do not,
    > though, permit out gre traffic. I am not sure whether that is
    > important: I don't know whether adaptive security would automatically
    > permit the return traffic or not.
    >
    > :access-list 101 permit ip 172.17.135.0 255.255.255.0 172.17.150.0 255.255.255.0
    > :ip address inside 172.17.135.230 255.255.255.0
    > :ip local pool pptp-pool 172.17.150.230-172.17.150.240
    > :nat (inside) 0 access-list 101
    > :static (inside,outside) a.a.a.a 172.17.135.100 netmask 255.255.255.255 0 0
    >
    > If you are telneting to a.a.a.a then you are doing so outside
    > of the pptp tunnel and you have to permit the smtp inward as previously
    > noted.
    >
    > To telnet to the smtp port inside of the pptp tunnel that you
    > are passing through the PIX, you would have to telnet to the
    > inside address, 172.17.135.100, because you've exempted that
    > connection from translation by using the nat 0 access-list .
    paul tomlinson, Nov 8, 2003
    #3
  4. In article <>,
    paul tomlinson <> wrote:
    :Walter thanks for your help on this one i've made the following
    :changes

    :access-list out-acl permit tcp host a.a.a.a any eq 25

    That should be

    access-list out-acl permit tcp any host a.a.a.a eq 25

    if you want outside hosts to be able to connect to tcp port 25 of a.a.a.a
    --
    "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
    WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
    Walter Roberson, Nov 9, 2003
    #4
  5. Well it didn't fix my SMTP issue but same thing fixed my PPTP problem,
    so PPTP is all sorted but i think SMTP may be configured to accept
    connections from only one IP address - will need to look into it

    Thanks again for all your help

    Paul

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bokg4h$nik$>...
    > In article <>,
    > paul tomlinson <> wrote:
    > :Walter thanks for your help on this one i've made the following
    > :changes
    >
    > :access-list out-acl permit tcp host a.a.a.a any eq 25
    >
    > That should be
    >
    > access-list out-acl permit tcp any host a.a.a.a eq 25
    >
    > if you want outside hosts to be able to connect to tcp port 25 of a.a.a.a
    paul tomlinson, Nov 9, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Deborah Roach
    Replies:
    1
    Views:
    668
  2. Replies:
    7
    Views:
    4,603
  3. Philipp Flesch

    cisco 76x and PPTP pass through?

    Philipp Flesch, Jun 18, 2006, in forum: Cisco
    Replies:
    0
    Views:
    578
    Philipp Flesch
    Jun 18, 2006
  4. Replies:
    1
    Views:
    5,173
  5. Elia Spadoni
    Replies:
    15
    Views:
    2,875
Loading...

Share This Page