Pix Firewall

Discussion in 'Cisco' started by Wim Heijboer, Jul 10, 2003.

  1. Wim Heijboer

    Wim Heijboer Guest

    There is this pix firewall (501), and i want to pptp to a server
    behind that firewall.
    i found an example configuration at the cisco website:


    In this configuration example, the PPTP server is 209.165.201.5
    (static to 10.48.66.106 inside), and the PPTP client is at
    209.165.201.25.

    access-list acl-out permit gre host 209.165.201.25 host 209.165.201.5
    access-list acl-out permit tcp host 209.165.201.25 host 209.165.201.5
    eq 1723
    static (inside,outside) 209.165.201.5 10.48.66.106 netmask
    255.255.255.255 0 0
    access-group acl-out in interface outside

    In this description a static route is made:

    static (inside,outside) 209.165.201.5 10.48.66.106 netmask
    255.255.255.255 0 0
    If I add this routing, all the clients (inside) are not able to use
    Internet.

    HOW can i enable pptp without having all clients without internet??

    PLEASE help us.



    RUNNING CONFIG OF THE CISCO PIX FIREWALL (sorry, i removed the
    external ip adress and domain and server name for security reasons....
    )


    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 7q3nzmVclyc6NvU3 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name <domainname.com>
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sip 5060
    fixup protocol skinny 2000
    no fixup protocol sqlnet 1521
    names
    name xx.xxx.xxx.xx vdenl
    name xx.xxx.xxx.xx conf
    name xx.xxx.xxx.xx server
    object-group network vdenl
    network-object vdenl 255.255.0.0
    object-group network conf
    network-object conf 255.255.255.0
    access-list inside_access_in permit tcp object-group vdenl any eq
    https
    access-list inside_access_in permit tcp object-group vdenl any eq www
    access-list inside_access_in permit udp object-group vdenl any eq
    domain
    access-list inside_access_in permit tcp object-group vdenl any eq pop3
    access-list inside_access_in permit tcp object-group vdenl any eq smtp
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit tcp any host xx.xxx.xxx.xx eq 3389
    access-list inside_access_in permit tcp object-group vdenl any eq 1723
    access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    smtp
    access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq www
    access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    https
    access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    3389
    access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq
    1723
    access-list outside_access_in permit udp any host xx.xxx.xxx.xx eq 17
    access-list outside_access_in permit udp any host xx.xxx.xxx.xx eq
    1701
    access-list outside_access_in permit udp any host xx.xxx.xxx.xx eq
    isakmp
    pager lines 24
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 129.2.1.1 255.255.0.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location xx.xxx.xxx.xx 255.255.255.248 outside
    pdm location vdenl 255.255.0.0 inside
    pdm location conf 255.255.255.0 inside
    pdm location xx.xxx.xxx.xx 255.255.255.255 outside
    pdm location A-Server-Instance 255.255.255.255 inside
    pdm group vdenl inside
    pdm group conf inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp xx.xxx.xxx.xx www A-Server-Instance www
    netmask 255.255.
    255.255 0 0
    static (inside,outside) tcp xx.xxx.xxx.xx smtp A-Server-Instance smtp
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) tcp xx.xxx.xxx.xx https A-Server-Instance
    https netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp xx.xxx.xxx.xx 3389 A-Server-Instance 3389
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) tcp xx.xxx.xxx.xx 1723 A-Server-Instance 1723
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) udp xx.xxx.xxx.xx 17 A-Server-Instance 17
    netmask 255.255.25
    5.255 0 0
    static (inside,outside) udp xx.xxx.xxx.xx 1701 A-Server-Instance 1701
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) udp xx.xxx.xxx.xx isakmp A-Server-Instance
    isakmp netmask 25
    5.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    http server enable
    http xx.xxx.xxx.xx 255.255.255.248 outside
    http conf 255.255.255.0 inside
    http vdenl 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt noproxyarp outside
    sysopt noproxyarp inside
    no sysopt route dnat
    telnet xx.xxx.xxx.xx 255.255.255.248 outside
    telnet conf 255.255.255.0 inside
    telnet vdenl 255.255.0.0 inside
    telnet timeout 5
    ssh xx.xxx.xxx.xx 255.255.255.248 outside
    ssh conf 255.255.255.0 inside
    ssh vdenl 255.255.0.0 inside
    ssh timeout 5
    dhcpd address 129.2.1.100-129.2.1.131 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    username michielt password <a-encrypted-password> encrypted privilege
    15
    username beheer password <a-encrypted-password> encrypted privilege 15
    privilege show level 0 command version
    privilege show level 0 command curpriv
    privilege show level 3 command pdm
    privilege show level 3 command blocks
    privilege show level 3 command ssh
    privilege configure level 3 command who
    privilege show level 3 command isakmp
    privilege show level 3 command ipsec
    privilege show level 3 command vpdn
    privilege show level 3 command local-host
    privilege show level 3 command interface
    privilege show level 3 command ip
    privilege configure level 3 command ping
    privilege configure level 5 mode enable command configure
    privilege show level 5 command running-config
    privilege show level 5 command privilege
    privilege show level 5 command clock
    privilege show level 5 command ntp
    terminal width 80
    Cryptochecksum:356937e58f6e9fb2c03710f77784e2fb
     
    Wim Heijboer, Jul 10, 2003
    #1
    1. Advertisements

  2. Is there a difference in 'from the pix' and 'to the pix' in this
    instance?? Ie it's your pix but the vpn goes to a client's network.
     
    Steve Holdoway, Jul 10, 2003
    #2
    1. Advertisements

  3. If I read your post correctly, you're wanting to allow clients on the PIX
    outside interface to connect to a server attached to the PIX inside
    interface.

    I believe that the PPTP connection process initializes the GRE tunneling
    from the recipient-side (server in the case of a dial-in). Since established
    traffic is allowed through the firewall, you should be able to make the
    static translation port-specific. Once the server authenticates the client,
    it will establish a GRE from inside the firewall.

    The configuration example that you have used from Cisco's site addresses the
    opposite scenario, where a client is inside the firewall trying to connect
    to an external server.

    Try this statement -- "static (inside,outside) tcp interface 1723
    <internal_server_address> 1723 netmask 255.255.255.255 0 0"

    Michael

    PS: From the looks of your config, all you need to do is add your GRE
    statement to "outside_access_in."
     
    Michael T. Hall, Jul 11, 2003
    #3
  4. Wim Heijboer

    Wim Heijboer Guest

    Thank u, i have installed PIX 6.3 and did a fixup protocol for pptp and it works

    regards,

    Wim Heijboer
     
    Wim Heijboer, Jul 11, 2003
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.