Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
312
Views
0
Helpful
1
Replies

PIX 501 - VPN - Basic

Go to solution
mike_1525
Level 1
Level 1

‎06-29-2004 11:03 AM - edited ‎02-21-2020 01:13 PM

Hi,

I'm considering setting up a pptp vpn on win2k server behind a pix 501 firewall (+ nat) with only 1 static IP. I will also need to have at least 2 - 3 Terminal Server client connected simultaneously.

Terminal service will run through vpn tunnel.

Can this be achieved ? A local tech. told me I need at least 2 IP addresses.

Thanks

Mike

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎06-29-2004 06:10 PM

For terminal services you can do this with just one IP assigned to the outside interface of the PIX, you simply create a port mapped static for port 3389 thru to the inside device.

For PPTP however, you need a separate IP address, different from the one assigned to the PIX outside int. This is because PPTP uses two protocols, TCP/1723 and GRE. You can create a port-mapped static for TCP/1723 through to the PPTP server, but you can't do it for GRE. This is because GRE is not a TCP/UDP protocol, it sits right on top of IP, and therefore has no port number to map through. You need a unique IP address and map that through. You config would look something like this:

access-list inbound permit tcp any host 200.1.1.1 eq 1723

access-list inbound permit gre any host 200.1.1.1

access-group inbound in interface outside

static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255

where 200.1.1.1 is your second routable IP address (different to the PIX outside int), and 10.1.1.1 is your inside PPTP server.

If you really only want to use one IP address, why not set the PIX itself up as a PPTP server and terminate your connections on that. The PPTP client will simply terminate onto the PIX outside IP address, and you won't need any others.

See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml for details.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎06-29-2004 06:10 PM

For terminal services you can do this with just one IP assigned to the outside interface of the PIX, you simply create a port mapped static for port 3389 thru to the inside device.

For PPTP however, you need a separate IP address, different from the one assigned to the PIX outside int. This is because PPTP uses two protocols, TCP/1723 and GRE. You can create a port-mapped static for TCP/1723 through to the PPTP server, but you can't do it for GRE. This is because GRE is not a TCP/UDP protocol, it sits right on top of IP, and therefore has no port number to map through. You need a unique IP address and map that through. You config would look something like this:

access-list inbound permit tcp any host 200.1.1.1 eq 1723

access-list inbound permit gre any host 200.1.1.1

access-group inbound in interface outside

static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255

where 200.1.1.1 is your second routable IP address (different to the PIX outside int), and 10.1.1.1 is your inside PPTP server.

If you really only want to use one IP address, why not set the PIX itself up as a PPTP server and terminate your connections on that. The PPTP client will simply terminate onto the PIX outside IP address, and you won't need any others.

See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml for details.

0 Helpful
Customers Also Viewed These Support Documents