06-29-2004 11:03 AM - edited 02-21-2020 01:13 PM
Hi,
I'm considering setting up a pptp vpn on win2k server behind a pix 501 firewall (+ nat) with only 1 static IP. I will also need to have at least 2 - 3 Terminal Server client connected simultaneously.
Terminal service will run through vpn tunnel.
Can this be achieved ? A local tech. told me I need at least 2 IP addresses.
Thanks
Mike
Solved! Go to Solution.
06-29-2004 06:10 PM
For terminal services you can do this with just one IP assigned to the outside interface of the PIX, you simply create a port mapped static for port 3389 thru to the inside device.
For PPTP however, you need a separate IP address, different from the one assigned to the PIX outside int. This is because PPTP uses two protocols, TCP/1723 and GRE. You can create a port-mapped static for TCP/1723 through to the PPTP server, but you can't do it for GRE. This is because GRE is not a TCP/UDP protocol, it sits right on top of IP, and therefore has no port number to map through. You need a unique IP address and map that through. You config would look something like this:
access-list inbound permit tcp any host 200.1.1.1 eq 1723
access-list inbound permit gre any host 200.1.1.1
access-group inbound in interface outside
static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255
where 200.1.1.1 is your second routable IP address (different to the PIX outside int), and 10.1.1.1 is your inside PPTP server.
If you really only want to use one IP address, why not set the PIX itself up as a PPTP server and terminate your connections on that. The PPTP client will simply terminate onto the PIX outside IP address, and you won't need any others.
See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml for details.
06-29-2004 06:10 PM
For terminal services you can do this with just one IP assigned to the outside interface of the PIX, you simply create a port mapped static for port 3389 thru to the inside device.
For PPTP however, you need a separate IP address, different from the one assigned to the PIX outside int. This is because PPTP uses two protocols, TCP/1723 and GRE. You can create a port-mapped static for TCP/1723 through to the PPTP server, but you can't do it for GRE. This is because GRE is not a TCP/UDP protocol, it sits right on top of IP, and therefore has no port number to map through. You need a unique IP address and map that through. You config would look something like this:
access-list inbound permit tcp any host 200.1.1.1 eq 1723
access-list inbound permit gre any host 200.1.1.1
access-group inbound in interface outside
static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255
where 200.1.1.1 is your second routable IP address (different to the PIX outside int), and 10.1.1.1 is your inside PPTP server.
If you really only want to use one IP address, why not set the PIX itself up as a PPTP server and terminate your connections on that. The PPTP client will simply terminate onto the PIX outside IP address, and you won't need any others.
See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml for details.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide