Re: Windows XP-PPTP/L2TP client---PIX Outside---PIX Inside---Win

asarreshteh · ‎09-16-2004

Windows XP-PPTP/L2TP client---PIX Outside---PIX Inside---Windows2K3(RRAS)----Rest of the network.

We currently have a working VPN client access back to our network.

Our users use either a dialup or a broadband connection to connect to PIX using

the 4.0.5.A client software. Then they will connect (PPTP) to our network

(Split Tunnel), get an IP address from the PPTP server (Windows 2000 or Windows 2003)

get on the network and everybody is happy.

We also have PIX-to-LinkSys VPN tunnel setup at a few small remote locations.

In those offices our users only connect to the same PPTP server, get authenticated,

get an IP address, get on the network and everyone is happy.

Due to some drop-off problems with the 4.0.5.A client software, we are looking at other

alternatives. One of the solutions we are interested in is creating a tunnel between the

PIX and Windows box running the PPTP/L2TP server (RRAS). Allow the client to use their Windows

dialup profile to connect to the outside interface of PIX and "pass through" to get to the

Windows box, get authenticated, pick up an IP address and be... you guessed it, Happy.

In my research I have come across the following knowledge bas articles:

249278,249067,249125 - I know what we are trying to do is doable, we

just don't know how to make it happen. This all started when we tried to change the second

connection from PPTP to L2TP. Since PIX VPN client grabbed the IPSec ports

we could not do this.

One more issue - We want to use a pre-shared key instead of a certificate from a CA.

Any help with a white paper or knowledge base article or how-to will be

greatly appreciated.

Prcesses running on an XP box. Note process 648 and 1196.

Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time

Idle 0 0 1 0 20 0:00:00.000 0:19:49.360 0:00:00.000

System 4 8 73 371 216 0:00:00.000 0:00:05.027 0:00:00.000

smss 1052 11 3 21 496 0:00:00.010 0:00:00.050 0:22:23.571

csrss 1108 13 11 584 1920 0:00:01.021 0:00:03.434 0:22:18.875

winlogon 1136 13 21 530 3456 0:00:03.274 0:00:00.580 0:22:16.211

services 1180 9 20 365 3368 0:00:00.640 0:00:02.493 0:22:13.797

lsass 1196 9 18 378 2204 0:00:00.300 0:00:00.190 0:22:13.747

cvpnd 648 8 6 259 11712 0:00:00.420 0:00:00.240 0:21:53.618

Before Cisco VPN client makes a connection:

C:\>netstat -p UDP -n -a -o | findstr 500

UDP 0.0.0.0:500 *:* 1196

Process 1196(lsass) controls the IPSec port. After the the Cisco VPN connection is made:

C:\>netstat -p UDP -n -a -o | findstr 500

UDP 0.0.0.0:500 *:* 648

UDP 0.0.0.0:4500 *:* 648

Process 648(cvpnd) controls the IPsec ports. If you try to activate the "IPSEC Services" at

this time, it will fail with eventid:7023:

"The IPSEC Services service terminated with the following error:

Only one usage of each socket address (protocol/network address/port)

is normally permitted."

I have a case opened with Cisco support so if anybody has seen this question

please forgive me.

jsivulka · ‎09-22-2004

For configuring the PIX firewall for PPTP, you could refer to the following documents:

Configuring the Cisco Secure PIX Firewall to Use PPTP

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

asarreshteh · ‎09-24-2004

I appreciate your feedback but what I am looking for is:

1. PIX has two interfaces, outside/DMZ. Windows Server has two interfaces: DMZ/Inside. The question is how to create a tunnel(L2TP or PPTP) between the DMZ interface of the PIX and the DMZ interfce of the Windows Server 2003. Since they are in the smae VLAN and on the same wire I wonder if I even need that....

2. When the XP client initiates an L2TP connection to PIX outside, I want that traffic to pass through PIX to Windows server and onto the inside network. Picking up an IP address from the Windows box and have all the proper routing in place to make this work.

Thanks again for your reply.

Shawn Lebbon · ‎10-05-2004

Seems to me, that for 1) you don't need a tunnel. If your Windows box is on the 'outside' of your LAN, then why second tunnel to put win client to win server traffic on? It's redundant.

For 2) you should only need to forward the traffic on ports X and Y (where X and Y is the VPN traffic) to the Windows server. You'd do this the same way you forward any other traffic (forwarding port 80 to a web server for example)

If you do this, then no other PIX-to-Windows Server tunnel seems necessary...

asarreshteh · ‎10-06-2004

Shawn,

I am an appreciative person. So before I forget, if this solution indeed works, I will be glad to send you a gift certificate at your favorite restaurant.

Following your advice, I should need three things.

First, a “static” statement for the Windows box.

Second, modify my outbound access-list to allow the Windows box to go out.

Third, modify the inbound access-list to allow PIX clients subnet access to the Windows box.

But…How do I make routing “happen”? Windows box is running Routing and Remote Access Server (RRAS). Any special configurations to allow access to the rest of my network behind the Windows box?

PIX Client > PIX <---> Windows <-----> to the inside of my network.

Shawn Lebbon · ‎10-07-2004

I'm not entirely familar with the PIX, but if by 'static statement' you mean a setting on the PIX to forward ports from the PIX to the windows machine's IP then, yes (I think it does). Of course you'll want to make sure the windows box also has a static IP address...

Second, the access list statements you made sound good to me. I think you get the idea. Just to expand on it a bit, the outbound ACL should allow the windows box traffic of the type used by the VPN out to 'any'; and the inbound ACL should allow in traffic from 'any' to the windows box of the type used by the VPN. This site shows what ports you probably need for a windows native VPN setup: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_VPN_und13.asp

As for 'making routing happen', let me see how your network looks now. From your description you have the internet connected to the PIX WAN port. The PIX LAN port is connected to the windows box only. The Windows box has a second NIC connected to the LAN. Is this correct? Another question arises: "is there non-VPN traffic going over the PIX to the LAN?" If so, additions to allow that traffic into the network might be needed.

If the PIX you have has a DMZ port as well as WAN and LAN ports, and the PIX is also used for internet access to the LAN (not through the windows box), then putting the windows box on the DMZ is probably best.

How does this part of your network work?

asarreshteh · ‎10-07-2004

PIX has only two interfaces: Outside/Inside.

For the sake of clarity, I call the inside of PIX, DMZ and use “inside” to describe my internal network. The netork looks like the following:

Internet---Router----PIX(outside)----PIX----PIX(DMZ/Inside)

DMZ Side of Windows(RRAS)-----Windows Server----Inside of Windows Server

Other non_VPN traffic only goes to DMZ and the proper ports are already open. The servers housed here typically have a connection to the inside, i.e., mail/web.

The clients on the outside go through Internet and use the Cisco PIX VPN client version 4.0.5.B to connect to the outside of PIX. PIX will give these clients an IP address and establishes a secured/3DES…..tunnel.

With our current configuration, the user “dials” into the RRAS box and authenticate and picks up an IP address handed to him by RRAS. I am trying to eliminate this second dialing by connecting the PIX and Windows box either through a tunnel or directly.

Windows box Inbound/Outbound access and “nat’ng” has been created. How does the client that’s VPN’d into PIX accesses the internal resources?

Shawn Lebbon · ‎10-07-2004

I was under the impression that you wanted to replace the PIX vpn connection with a direct-to-windows VPN connection? Or are you just looking for a better way to have the windows server authenticate people connecting to the PIX?

If I were to set this up from scratch, and I wanted to use the windows box VPN (and the native windows VPN client), then I'd just forward the VPN traffic as outlined on that Microsoft webpage.

If I wanted to use the PIX, and just use windows authentication, then I'd look at *just* a Radius server on the windows box (for authentication), and maintian a pool on the PIX itself... (although that pool can be retrieved from Windows as well supposedly, but I haven't gone that far myself.

asarreshteh · ‎10-07-2004

We want to continue using the Cisco PIX VPN client. After the connection to PIX is made, the client receives an IP address. Now what? How can this client get to the inside of my network?

Yes, RRAS server can authenticate and hand this guy an IP address from the inside network (the client will have to use the windows PPTP connection since the IPSec is used by PIX VPN Client). This does work. We are trying to improve upon this…

Shawn Lebbon · ‎10-07-2004

In that case then, you want to use the window box with RRAS, because the PIX alone would dump the users into the DMZ rather than the inside network?

If RRAS supports tunnels (like gre tunnels), you could setup a tunnel between the PIX and the RRAS machine and in the route tables make sure that the PIX client's IP addresses are routed over the tunnel to the windows machine where they are then 'dumped' into the inside network. However this probably isn't the best solution.

In fact your real problem stems from the fact that you're using the PIX for the wrong job. The PIX is desined to seperate your WAN from LAN. In your case, it'd be best if you had a second PIX, (so it'd go Internet > PIX > DMZ > PIX2 > inside LAN). In this way you'd set the first PIX to simply port forward the VPN traffic through to PIX2. Another solution would be to use some sort of router rather than the first PIX in the same setup.

You could also look into a new firewall appliance with 3 interfaces (LAN/WAN/DMZ) rather than the 2 the PIX you have provides.

At this point I'd suggest researching anew, a process for setting this up in the manner I suggested above, maybe looking for help getting the PIX doing what I've described...