Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
0
Helpful
2
Replies

Pptp terminating on PIX

kiboneka
Level 1
Level 1

‎01-25-2006 12:04 PM - edited ‎02-21-2020 12:40 AM

I have Pix 501 ver 6.3, and have configured pptp.I can connect to the Pix from Microsoft pptp client from the outside , but cannot access any inside hosts, any ideas

Building configuration...

Cryptochecksum: e600b3d9 0bc5e602 9f7a3cf5 3eeedc54

[OK]

tci-gw(config)# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname xxxx

domain-name xxx.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 100 permit tcp any host x.x.x.x eq smtp

access-list 100 permit tcp any host x.x.x.x eq www

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x y.y.y.y

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool mypool 192.168.1.220-192.168.1.240

pdm location 192.168.1.8 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) x.x.x.x 192.168.1.8 netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

fragment chain 1 outside

sysopt connection permit-pptp

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 128 required

vpdn group 1 client configuration address local mypool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username xxxxxx password *********

vpdn username xxxxxx password *********

vpdn username xxxxxx password *********

vpdn enable outside

terminal width 80

Cryptochecksum:xxxx

: end

tci-gw(config)# sh run

: Saved

0 Helpful
2 Replies 2

b.speltz
Level 4
Level 4

‎01-31-2006 09:41 AM

PIX Firewall software versions earlier than 5.1 do not support terminating a PPTP VPN connection to the PIX.

The following commands is used to add all versions of software

access-list acl-out permit gre host < IP address>host< IP address>

access-list acl-out permit tcp host < IP address host >< IP address>

static (inside,outside) < IP address >< < IP address> netmask

access-group acl-out in interface outside

0 Helpful

kharris
Level 1
Level 1

‎02-01-2006 01:30 PM

Your clients are connecting, but the PIX is trying to do network address translation on the packets instead of using the actual IP address given to your remote connections.

Add a NAT statement to the PIX so that the PIX does not do any translation on the PPTP client's traffic.

First, I would recommend changing your local pool "mypool" to a different subnet. Otherwise, you will run into additional configuration requiring you to subnet out the bits in the access lists for the subnet masks pertaining to your PPTP clients (the .220-.240 addresses) as they are on the same subnet as your internal network. Using a different subnet makes for an easier config...but it's not required.

For my example, change your "mypool" to "192.168.254.1-192.168.254.10"

Also, the PIX-501 only supports 10 concurrent VPN peers...handing out 21 addresses in your ip pool is not needed.

Create an access-list that defines traffic that does not to be NAT'd.

example:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

Now, apply the new access-list to a "no nat" statement for the PIX

example:

nat (inside) 0 access-list nonat

This tell the PIX not to NAT any traffic matching the "nonat" access list. The use of "0" with the nat statement is what actually tells the PIX not to NAT.

Since you are using the "sysopt connection permit-ipsec" command, all pptp traffic bypasses access-lists and will be permited.

I believe that should clear you up.

Post back with problems.

Kyle

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card