06-19-2006 05:00 PM - edited 02-21-2020 02:29 PM
Hi,
I have a PIX 515e version 6.3 (5).The PIX is front end firewall
with the ISA2004 connected to the inside interface of the PIX. However,
I want to use the ISA as VPN server. Thus, I need the PIX to allow the
VPN traffic through to the ISA Server so that it can authenticate and
created the tunnel.
Refer attached pix config and setup diagram.Here is my config Internet - PIX - ISA Server -
LAN (DHCP,AD,Exchange 2003) PIX external: x.x.x.166 PIX Internal
172.17.0.2 ISA external: 172.17.0.1 ISA Internal 172.16.0.253
Pls provide steps to allow the PIX to pass the vpn traffic to ISA.
The DHCP in inside network of ISA will allocate IP for Remote VPN clients
PPTP is enabled on ISA 2004 and MSCHAP-2 as authentication
Without PIX firewall, remote access VPN using pptp worked fine.
Regards,
Prashanth
06-19-2006 07:04 PM
If the PIX is simply passing the PPTP packets through to an inside PPTP server, then you don't really need to do much on the PIX at all. It is just the same as allowing HTTP traffic through to an inside web server. So first of all get rid of all the "vpdn" type config on the PIX, that is only used if the PIX is terminating the PPTP VPN, which it is not.
Now, standard PIX connectivity says to allow packets from outside to inside you need a static and an access-list, of which you have neither. You will need to use another global IP address and map that through to the inside PPTP server, as such:
static (inside,outside) 202.93.208.46 172.17.0.1 netmask 255.255.255.255
Then allow PPTP traffic through to that address with:
access-list inbound permit tcp any host 202.93.208.46 eq 1723
access-list inbound permit gre any host 202.93.208.46
Then have your outside users connect to 202.93.208.46 and all should work fine.
06-19-2006 09:53 PM
Hi,
But there is only one public IP and curently using PAT
can i have the configuartion like this:
static (inside,outside) outside interface 172.17.0.1 netmask 255.255.255.255
access-list inbound permit tcp any host outside interface eq 1723
access-list inbound permit gre any host outside interface
06-19-2006 10:57 PM
No, because that then overlaps with your PAT config. You can't set up a static PAT translation either because the GRE packets are not TCP/UDP based. To do this I'm afraid you need a second public IP address, or you can forget about your users connecting to the inside server and have them connect directly to the PIX as the PPTP server. This will then provide them with internal access also. To set that up it will be the "vpdn" config you had previously.
06-19-2006 11:29 PM
Hi,
What about using L2TP-IPSEC?
what access rule to be created in PIX?
06-20-2006 12:51 AM
Have a look at the following document:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800942ad.shtml
The above uses RADIUS for authentication.
And also the following document from Zander Networks:
http://www.zandernetworks.co.uk/technotes/Tech%20Note%2004.pdf
Hope this helps
Jay
06-29-2006 04:45 PM
08-16-2006 08:09 AM
You can do this with a single IP doing PAT. First you create your static:
static (inside,outside) tcp PUBLICIP pptp PRIVATEIP pptp
where the privateIP is the address of the ISA server. If you're using the outside interface of the PIX as the PUBLICIP, replace PUBLICIP with the keywork 'interface'.
Make sure you have the 'fixup protocol pptp 1723' in your config - this removes the need to create a GRE static mapping, as it will open the GRE ports dynamically as needed.
Then just make sure you have an ACL entry on the outside interface that allows PPTP to the public IP address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide