Announcement

Collapse
No announcement yet.

PIX 515 and PPTP VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX 515 and PPTP VPN

    HI,

    I want to setup VPN for my Windows Clients. PIX is managed by Thirdparty and very expensive to setup 5 Connection . So i setup Windows 2003 PPTP Server.
    it's inside my network. I ask them to port forward TCP:1723 and GRE:47?

    And they ask me to test but it's not working getting Error:800 from Outside

    1. Can we test from inside if so how?

    2. They send this?

    access-list acl_out line 3 permit tcp host 2xx.x.xx5.x host 192.168.x.x eq pptp

    access-list acl_out line 4 permit tcp host 2xx.x.xx5.x host 192.168.x.x eq 47

    static (inside,outside) 2xx.x.xx5.x 192.168.x.x netmask 255.255.255.255 0 0

    3. I can't ping this 2xx.x.xx5.x this IP from out side?
    AusNetIT Solutions

    Web Design | Web Hosting | SEO | IT Support

  • #2
    Re: PIX 515 and PPTP VPN

    Hi Cosy,

    Two quick things I notice with the ACL-

    - GRE is not port 47, which is why the "eq 47" isn't going to help you.
    - it should be protocol 47, which is GRE. Here is what it looks like on my Cisco router (I don't have my PIX handy but you see where the TCP should be GRE
    access-list 101 per gre host 200.2.200.2 host 192.168.1.1

    I didn't think too much about the "will this work" question yet, other than to look at the ACL

    You should be able to just run Windows VPN client and connect to the PPTP server to verify that it works internally.
    If that works, then test it just pinging the IP of the PPTP server from the Internet (assuming they have that allowed in the PIX)
    If that works, then move on to testing the PPTP

    I hope that helps
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training
    TrainSignalTraining.com - Free IT Training Products
    Personal Websites: HappyRouter.com & VMwareVideos.com

    Comment


    • #3
      Re: PIX 515 and PPTP VPN

      Hi David,


      As discussed, here are the changes made:

      Push:
      pixfirewall# config t
      pixfirewall(config)# no access-list acl_out line 4 permit gre host 2xx.x.xxx.3 any
      pixfirewall(config)# no access-list acl_out line 3 permit tcp host 2xx.x.xxx.3 host 192.168.x.xeq pptp
      pixfirewall(config)# access-list acl_out line 4 permit tcp any host 2xx.x.xxx.3 eq pptp
      pixfirewall(config)# access-list acl_out line 4 permit gre any host 2xx.x.xxx.3
      pixfirewall(config)# exit
      pixfirewall# wr mem

      I test this internally and externally now all OK.

      Thank you
      Last edited by COSY; 10th July 2007, 07:41.
      AusNetIT Solutions

      Web Design | Web Hosting | SEO | IT Support

      Comment


      • #4
        Re: PIX 515 and PPTP VPN

        Awesome!

        As Hannibal Smith on the A Team said - "I love it when a plan comes together!"
        David Davis - Petri Forums Moderator & Video Training Author
        Train Signal - The Global Leader in IT Video Training
        TrainSignalTraining.com - Free IT Training Products
        Personal Websites: HappyRouter.com & VMwareVideos.com

        Comment


        • #5
          Re: PIX 515 and PPTP VPN

          HI,

          Yes, Now i got following 2 issues. With this laptop.

          This laptop got cisco vpn client and i installed the Windows xp VPN Client. When using windows vpn client

          1. When i open the MS outlook 2003 it's wait good 3-4 mints and ask the domain username and password?

          2. After add username and password didn't connect & trying to retive?

          3. Try to connect to my file server same as above?
          Last edited by COSY; 13th July 2007, 11:54.
          AusNetIT Solutions

          Web Design | Web Hosting | SEO | IT Support

          Comment


          • #6
            Re: PIX 515 and PPTP VPN

            Hmm, strange. Here are some thoughts / questions...

            What are the ping times through the tunnel to internal servers, from the vpn client?

            Compare that to pinging the internet from the client while connected to the vpn.

            Did you get the proper DNS server info on your VPN adaptor on the VPN client?

            Thanks,
            David Davis - Petri Forums Moderator & Video Training Author
            Train Signal - The Global Leader in IT Video Training
            TrainSignalTraining.com - Free IT Training Products
            Personal Websites: HappyRouter.com & VMwareVideos.com

            Comment


            • #7
              Re: PIX 515 and PPTP VPN

              I had a similar issue (not being able to connect to a PPTP VPN) on my 515 and after some searching, i was told to run
              Code:
              fixup protocol pptp 1723
              and that cleared up all the problems that i was having. You may want to try that and see if it helps you.

              David, is that really a necessary command to run?

              aaron

              Comment


              • #8
                Re: PIX 515 and PPTP VPN

                AFAIK its needed to run that command.
                Also see this article
                http://www.cisco.com/warp/public/110/pix_pptp.html
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: PIX 515 and PPTP VPN

                  Yes!

                  The fixup command actually performs "application inspection". This inspection is done to find protocols that have IP addresses embedded in the payload. That, of course, wouldn't work with using NAT. Application inspection (fixup) modifies the payload IP address to "fix it up".

                  Of course, once you change the payload you have to recalculate the checksums. But don't despair! because fixup does that too....

                  Here are some links.........

                  The Cisco link says this:
                  The PPTP fixup feature in version 6.3 allows the PPTP traffic to traverse the PIX when configured for PAT. Stateful PPTP packet inspection is also performed in the process. The fixup protocol pptp command inspects PPTP packets and dynamically creates the GRE connections and translations necessary to permit PPTP traffic
                  This is also a good article on the fixup command:
                  http://www.netcraftsmen.net/welcher/papers/pix03.html

                  And here's the bible of the PIX fixup docs, the Cisco command reference link for fixup:
                  http://www.cisco.com/en/US/docs/secu...ide/fixup.html
                  David Davis - Petri Forums Moderator & Video Training Author
                  Train Signal - The Global Leader in IT Video Training
                  TrainSignalTraining.com - Free IT Training Products
                  Personal Websites: HappyRouter.com & VMwareVideos.com

                  Comment


                  • #10
                    Re: PIX 515 and PPTP VPN

                    Hi

                    Now everything working and all good.

                    Thank
                    AusNetIT Solutions

                    Web Design | Web Hosting | SEO | IT Support

                    Comment


                    • #11
                      Re: PIX 515 and PPTP VPN

                      If we're using 1-1 NAT can you still run the
                      Code:
                      fixup protocol pptp 1723
                      command?

                      Comment

                      Working...
                      X