09-16-2004 06:17 PM - edited 02-20-2020 11:38 PM
Windows XP-PPTP/L2TP client---PIX Outside---PIX Inside---Windows2K3(RRAS)----Rest of the network.
We currently have a working VPN client access back to our network.
Our users use either a dialup or a broadband connection to connect to PIX using
the 4.0.5.A client software. Then they will connect (PPTP) to our network
(Split Tunnel), get an IP address from the PPTP server (Windows 2000 or Windows 2003)
get on the network and everybody is happy.
We also have PIX-to-LinkSys VPN tunnel setup at a few small remote locations.
In those offices our users only connect to the same PPTP server, get authenticated,
get an IP address, get on the network and everyone is happy.
Due to some drop-off problems with the 4.0.5.A client software, we are looking at other
alternatives. One of the solutions we are interested in is creating a tunnel between the
PIX and Windows box running the PPTP/L2TP server (RRAS). Allow the client to use their Windows
dialup profile to connect to the outside interface of PIX and "pass through" to get to the
Windows box, get authenticated, pick up an IP address and be... you guessed it, Happy.
In my research I have come across the following knowledge bas articles:
249278,249067,249125 - I know what we are trying to do is doable, we
just don't know how to make it happen. This all started when we tried to change the second
connection from PPTP to L2TP. Since PIX VPN client grabbed the IPSec ports
we could not do this.
One more issue - We want to use a pre-shared key instead of a certificate from a CA.
Any help with a white paper or knowledge base article or how-to will be
greatly appreciated.
Prcesses running on an XP box. Note process 648 and 1196.
Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time
Idle 0 0 1 0 20 0:00:00.000 0:19:49.360 0:00:00.000
System 4 8 73 371 216 0:00:00.000 0:00:05.027 0:00:00.000
smss 1052 11 3 21 496 0:00:00.010 0:00:00.050 0:22:23.571
csrss 1108 13 11 584 1920 0:00:01.021 0:00:03.434 0:22:18.875
winlogon 1136 13 21 530 3456 0:00:03.274 0:00:00.580 0:22:16.211
services 1180 9 20 365 3368 0:00:00.640 0:00:02.493 0:22:13.797
lsass 1196 9 18 378 2204 0:00:00.300 0:00:00.190 0:22:13.747
cvpnd 648 8 6 259 11712 0:00:00.420 0:00:00.240 0:21:53.618
Before Cisco VPN client makes a connection:
C:\>netstat -p UDP -n -a -o | findstr 500
UDP 0.0.0.0:500 *:* 1196
Process 1196(lsass) controls the IPSec port. After the the Cisco VPN connection is made:
C:\>netstat -p UDP -n -a -o | findstr 500
UDP 0.0.0.0:500 *:* 648
UDP 0.0.0.0:4500 *:* 648
Process 648(cvpnd) controls the IPsec ports. If you try to activate the "IPSEC Services" at
this time, it will fail with eventid:7023:
"The IPSEC Services service terminated with the following error:
Only one usage of each socket address (protocol/network address/port)
is normally permitted."
I have a case opened with Cisco support so if anybody has seen this question
please forgive me.
09-22-2004 12:45 PM
For configuring the PIX firewall for PPTP, you could refer to the following documents:
Configuring the Cisco Secure PIX Firewall to Use PPTP
Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec
09-24-2004 12:31 PM
I appreciate your feedback but what I am looking for is:
1. PIX has two interfaces, outside/DMZ. Windows Server has two interfaces: DMZ/Inside. The question is how to create a tunnel(L2TP or PPTP) between the DMZ interface of the PIX and the DMZ interfce of the Windows Server 2003. Since they are in the smae VLAN and on the same wire I wonder if I even need that....
2. When the XP client initiates an L2TP connection to PIX outside, I want that traffic to pass through PIX to Windows server and onto the inside network. Picking up an IP address from the Windows box and have all the proper routing in place to make this work.
Thanks again for your reply.
10-05-2004 12:28 PM
Seems to me, that for 1) you don't need a tunnel. If your Windows box is on the 'outside' of your LAN, then why second tunnel to put win client to win server traffic on? It's redundant.
For 2) you should only need to forward the traffic on ports X and Y (where X and Y is the VPN traffic) to the Windows server. You'd do this the same way you forward any other traffic (forwarding port 80 to a web server for example)
If you do this, then no other PIX-to-Windows Server tunnel seems necessary...
10-06-2004 06:09 PM
Shawn,
I am an appreciative person. So before I forget, if this solution indeed works, I will be glad to send you a gift certificate at your favorite restaurant.
Following your advice, I should need three things.
First, a static statement for the Windows box.
Second, modify my outbound access-list to allow the Windows box to go out.
Third, modify the inbound access-list to allow PIX clients subnet access to the Windows box.
But How do I make routing happen? Windows box is running Routing and Remote Access Server (RRAS). Any special configurations to allow access to the rest of my network behind the Windows box?
PIX Client > PIX <---> Windows <-----> to the inside of my network.
10-07-2004 05:10 AM
I'm not entirely familar with the PIX, but if by 'static statement' you mean a setting on the PIX to forward ports from the PIX to the windows machine's IP then, yes (I think it does). Of course you'll want to make sure the windows box also has a static IP address...
Second, the access list statements you made sound good to me. I think you get the idea. Just to expand on it a bit, the outbound ACL should allow the windows box traffic of the type used by the VPN out to 'any'; and the inbound ACL should allow in traffic from 'any' to the windows box of the type used by the VPN. This site shows what ports you probably need for a windows native VPN setup: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_VPN_und13.asp
As for 'making routing happen', let me see how your network looks now. From your description you have the internet connected to the PIX WAN port. The PIX LAN port is connected to the windows box only. The Windows box has a second NIC connected to the LAN. Is this correct? Another question arises: "is there non-VPN traffic going over the PIX to the LAN?" If so, additions to allow that traffic into the network might be needed.
If the PIX you have has a DMZ port as well as WAN and LAN ports, and the PIX is also used for internet access to the LAN (not through the windows box), then putting the windows box on the DMZ is probably best.
How does this part of your network work?
10-07-2004 08:41 AM
PIX has only two interfaces: Outside/Inside.
For the sake of clarity, I call the inside of PIX, DMZ and use inside to describe my internal network. The netork looks like the following:
Internet---Router----PIX(outside)----PIX----PIX(DMZ/Inside)
DMZ Side of Windows(RRAS)-----Windows Server----Inside of Windows Server
Other non_VPN traffic only goes to DMZ and the proper ports are already open. The servers housed here typically have a connection to the inside, i.e., mail/web.
The clients on the outside go through Internet and use the Cisco PIX VPN client version 4.0.5.B to connect to the outside of PIX. PIX will give these clients an IP address and establishes a secured/3DES ..tunnel.
With our current configuration, the user dials into the RRAS box and authenticate and picks up an IP address handed to him by RRAS. I am trying to eliminate this second dialing by connecting the PIX and Windows box either through a tunnel or directly.
Windows box Inbound/Outbound access and natng has been created. How does the client thats VPNd into PIX accesses the internal resources?
10-07-2004 09:21 AM
I was under the impression that you wanted to replace the PIX vpn connection with a direct-to-windows VPN connection? Or are you just looking for a better way to have the windows server authenticate people connecting to the PIX?
If I were to set this up from scratch, and I wanted to use the windows box VPN (and the native windows VPN client), then I'd just forward the VPN traffic as outlined on that Microsoft webpage.
If I wanted to use the PIX, and just use windows authentication, then I'd look at *just* a Radius server on the windows box (for authentication), and maintian a pool on the PIX itself... (although that pool can be retrieved from Windows as well supposedly, but I haven't gone that far myself.
10-07-2004 10:12 AM
We want to continue using the Cisco PIX VPN client. After the connection to PIX is made, the client receives an IP address. Now what? How can this client get to the inside of my network?
Yes, RRAS server can authenticate and hand this guy an IP address from the inside network (the client will have to use the windows PPTP connection since the IPSec is used by PIX VPN Client). This does work. We are trying to improve upon this
10-07-2004 12:04 PM
In that case then, you want to use the window box with RRAS, because the PIX alone would dump the users into the DMZ rather than the inside network?
If RRAS supports tunnels (like gre tunnels), you could setup a tunnel between the PIX and the RRAS machine and in the route tables make sure that the PIX client's IP addresses are routed over the tunnel to the windows machine where they are then 'dumped' into the inside network. However this probably isn't the best solution.
In fact your real problem stems from the fact that you're using the PIX for the wrong job. The PIX is desined to seperate your WAN from LAN. In your case, it'd be best if you had a second PIX, (so it'd go Internet > PIX > DMZ > PIX2 > inside LAN). In this way you'd set the first PIX to simply port forward the VPN traffic through to PIX2. Another solution would be to use some sort of router rather than the first PIX in the same setup.
You could also look into a new firewall appliance with 3 interfaces (LAN/WAN/DMZ) rather than the 2 the PIX you have provides.
At this point I'd suggest researching anew, a process for setting this up in the manner I suggested above, maybe looking for help getting the PIX doing what I've described...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide