PIX 501 passthrough with to a Win VPN Server

dennisvee · ‎09-14-2012

Can this piece of %^$ pix 501 allow port 1723 to be open so users can connect to a Windows VPN server configured by PDM?

pix 6.3(5)

Outside staic IP - whatever 111.111.111.111

Inside 192.168.1.1

Win VPN server 192.168.1.10

Thanks to anybody that can help.

Note - I wnat to know if thi can be accomplished using PDM 3.0.4

This pix has to have a use other than a glorified 4 port switch

Jennifer Halim · ‎09-14-2012

Yes you can enable PIX501 with version 6.3.5 for PPTP pass through.

Command line:

static (inside,outside) tcp interface 1723 192.168.1.10 1723 netmask 255.255.255.255

fixup protocol pptp 1723

access-list permit tcp any host 111.111.111.111 eq 1723

If you don't already have an access-list applied to outside interface, then you also need the following:

access-group in interface outside

Then "clear xlate" after the above configuration. I also assume that you would like to use the outside interface ip address of the PIX for the translation. Otherwise, if 111.111.111.111 is actually a spare public ip address, then the above static command should say:

static (inside,outside) 111.111.111.111 192.168.1.10 netmask 255.255.255.255

Yes, it can be accomplished using PDM. But i have to apologize that i don't have a handy access to a PDM hence, i can only advise you on the configuration using CLI.

Hope that helps a little.

dennisvee · ‎09-14-2012

sh access-list (from PDM CLI)

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

So what would these commands be?

access-list permit tcp any host 111.111.111.111 eq 1723

access-group in interface outside

Jennifer Halim · ‎09-14-2012

Ok, since there is no existing access-list, then you can configure a new one as follows:

access-list outside-acl permit tcp any host 111.111.111.111 eq 1723

access-group outside-acl in interface outside