File and Printer Sharing is turned on. Client for MS Networks is installed as well, but I still cannot browse the Network Neighborhood. On the PIX, I have:

access-list 101 permit ip 199.0.0.0 255.255.0.0 10.0.252.0 255.255.255.0

Do I also need to permit some UDP ports?

On the Windows98 PC are you logging onto the Domain?

I was, but now I'm getting "no domain controller was available".

Below is my PIX config:

nj-pix1a(config)# wr t

Building configuration...

: Saved

:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 private security10

enable password 8TtHic.igNQfxtlP encrypted

passwd 8A8GWRAN7wD/EokS encrypted

hostname nj-pix1a

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol ftp 20-21

no names

access-list 101 permit ip 199.0.0.0 255.255.0.0 192.168.2.0 255.255.255.0

access-list 101 permit ip 199.0.0.0 255.255.0.0 192.100.101.0 255.255.255.0

access-list 101 permit ip 199.0.0.0 255.255.0.0 10.0.254.0 255.255.255.0

access-list 101 permit ip 199.0.0.0 255.255.0.0 10.0.253.0 255.255.255.0

access-list 201 permit ip 199.0.0.0 255.255.0.0 192.168.2.0 255.255.255.0

access-list 301 permit ip 199.0.0.0 255.255.0.0 192.100.101.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging buffered emergencies

logging trap emergencies

logging history emergencies

logging host inside 199.0.8.6

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 10baset

interface ethernet3 100full

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu private 1500

ip address outside 63.174.66.3 255.255.255.0

ip address inside 199.0.0.30 255.255.255.0

ip address dmz 199.0.1.1 255.255.255.0

ip address private 199.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pptppool 10.0.253.1-10.0.253.254

ip local pool ipsecpool 10.0.254.1-10.0.254.254

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 63.174.66.4

failover ip address inside 199.0.0.31

failover ip address dmz 199.0.1.2

failover ip address private 199.1.1.2

failover link private

pdm history enable

arp timeout 14400

global (outside) 1 63.174.66.5 netmask 255.255.255.0

global (dmz) 1 199.0.1.5 netmask 255.255.255.255

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 199.0.1.0 255.255.255.0 0 0

static (dmz,outside) 63.174.66.10 199.0.1.10 netmask 255.255.255.255 0 0

static (inside,outside) 63.174.66.20 199.0.0.197 netmask 255.255.255.255 0 0

static (inside,outside) 63.174.66.123 199.0.0.123 netmask 255.255.255.255 0 0

static (inside,outside) 63.174.66.16 199.0.0.16 netmask 255.255.255.255 0 0

static (inside,outside) 63.174.66.228 199.0.8.228 netmask 255.255.255.255 0 0

static (inside,outside) 63.174.66.252 199.0.8.252 netmask 255.255.255.255 0 0

static (inside,dmz) 199.0.0.0 199.0.0.0 netmask 255.255.255.0 0 0

static (inside,outside) 63.174.66.127 199.0.0.127 netmask 255.255.255.255 0 0

static (inside,outside) 63.174.66.113 199.0.0.113 netmask 255.255.255.255 0 0

static (inside,outside) 63.174.66.231 199.0.0.231 netmask 255.255.255.255 0 0

static (inside,outside) 63.174.66.66 199.0.0.66 netmask 255.255.255.255 0 0

static (inside,outside) 63.174.66.142 199.0.0.142 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host 63.174.66.10 eq www any

conduit permit tcp host 63.174.66.20 eq smtp any

conduit permit tcp host 63.174.66.20 eq 135 any

conduit permit tcp host 63.174.66.20 eq 1225 any

conduit permit tcp host 63.174.66.20 eq 1226 any

conduit permit tcp host 63.174.66.20 eq www any

conduit permit udp host 63.174.66.5 eq isakmp any eq isakmp

conduit permit tcp host 63.174.66.5 eq 256 any eq 500

conduit permit esp host 63.174.66.16 any

conduit permit ah host 63.174.66.16 any

conduit permit udp host 63.174.66.16 any

conduit permit tcp host 63.174.66.228 eq 3398 any

conduit permit tcp host 63.174.66.228 range ftp-data ftp any

conduit permit ip host 63.174.66.254 any

conduit permit ip host 63.174.66.252 any

conduit permit tcp host 63.174.66.123 eq 256 any

conduit permit udp host 63.174.66.123 eq isakmp any

conduit permit esp host 63.174.66.123 any

conduit permit ah host 63.174.66.123 any

conduit permit tcp host 199.0.0.197 eq smtp any

conduit permit tcp host 63.174.66.127 eq 1723 any

conduit permit tcp host 63.174.66.113 eq 1723 any

conduit permit gre host 63.174.66.113 any

conduit permit tcp host 63.174.66.231 eq 1723 any

conduit permit gre host 63.174.66.231 any

conduit permit tcp host 63.174.66.66 eq 1723 any

conduit permit gre host 63.174.66.66 any

conduit permit tcp host 63.174.66.142 eq 1723 any

conduit permit gre host 63.174.66.142 any

conduit permit tcp host 63.174.66.123 eq 1723 any

conduit permit gre host 63.174.66.123 any

route outside 0.0.0.0 0.0.0.0 63.174.66.128 1

route outside 192.168.2.0 255.255.255.0 65.101.39.169 1

route inside 199.0.0.0 255.255.0.0 199.0.0.40 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

snmp-server host inside 199.0.8.6

snmp-server location DUR-NJ-US

snmp-server contact Mario Benitez

snmp-server community TUMI-US

snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 10 ipsec-isakmp

crypto map dyn-map 10 match address 201

crypto map dyn-map 10 set peer 65.101.39.169

crypto map dyn-map 10 set transform-set myset

crypto map dyn-map 11 ipsec-isakmp

crypto map dyn-map 11 match address 301

crypto map dyn-map 11 set peer 139.4.21.81

crypto map dyn-map 11 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map client configuration address initiate

crypto map dyn-map client configuration address respond

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 65.101.39.169 netmask 255.255.255.255

isakmp key ******** address 139.4.21.81 netmask 255.255.255.255

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local ipsecpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption des

isakmp policy 11 hash md5

isakmp policy 11 group 1

isakmp policy 11 lifetime 3600

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup test address-pool ipsecpool

vpngroup test dns-server 199.0.0.127

vpngroup test wins-server 199.0.0.127

vpngroup test default-domain tumi.com

vpngroup test idle-time 1800

vpngroup test password ********

telnet 199.0.0.127 255.255.255.255 inside

telnet 199.0.8.6 255.255.255.255 inside

telnet 199.0.8.41 255.255.255.255 inside

telnet 199.0.0.40 255.255.255.255 inside

telnet 199.0.0.127 255.255.255.255 dmz

telnet 199.0.8.6 255.255.255.255 dmz

telnet 199.0.8.41 255.255.255.255 dmz

telnet 199.0.0.40 255.255.255.255 dmz

telnet 199.0.0.40 255.255.255.255 private

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local pptppool

vpdn group 1 client configuration wins 199.0.8.3 199.0.0.127

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username MARK password MARK

vpdn username TUMI\PPTPTest password PPTP

vpdn username TUMI_GERMANY\PPTPTest password PPTP

vpdn username GCS-NASHUA password condor

vpdn username TUMI\MARK password MARK

vpdn username SLW\SLW-VPN-PPTP password SLW-VPN-PPTP

vpdn username TUMI-VPN password charliec

vpdn username TUMI\TUMI-VPN password charliec

vpdn enable outside

terminal width 150

Cryptochecksum:50b02a3186e73bb06a100c2f8ce46122

: end

[OK]

Note: I am also trying to support Cisco Secure VPN client 1.1 until we get the new VPN client working.

I have the VPN client working (at least on Win98) and browsing the Network Neighborhood. I think the key to browsing the Network Neighborhood is to release the IP address bound to network adapters in the remote PC. In Win 98, there is a registry hack that does this; not sure on Win95, Win2k, or XP. Since I'm not exactly sure what statements are needed in the PIX config, I'm not posting it now. As soon as I figure out which ones are not needed, I'll post a copy of my config.

Hi,

Are you able to ping your WINS server throught the VPN connection?

Regards,

Ron

Your PIX is configured for PPTP. You have listed your outside and inside IPs. Your network topology would not be hard to figure out. You have also listed your PPTP usernames and passwords.

When posting to the Internet, always mask your real IPs and all passwords.

I would consider these passwords comprimied, and change them immediately.

Thank you for telling me.

Since Network neighbourhood uses, netbios broadcast for name resolution and locating the computers within its reach, you may need to allow this protocol. Remember the master browser stuff and all that.

Try allowing netbios protocols by allowing protocols 137, 138 and 139 as the last post said.

0.02 Cent

Oletu

Also make sure your have "Client for MS Networks" and "File and Print Sharing" on

I have succeeded in getting the VPN client to work on Win95, Win98, and XP; haven't tried on Win2k yet, don't expect any problems.

To browse the network, the VPN client must be able to route to the PDC (domain master browser); I had a routing issue preventing that at first; once I fixed that, browsing was not a problem.

I did not set up any new conduits for UDP ports (see my previously posted config) so I don't think they are necessary. Perhaps this is because I have a WINS server on the segment that the VPN client connects to. My PDC is also a WINS server.

There are a few kinks to getting the VPN client to work that Cisco doesn't mention in their documentation. I already mentioned the Win 95/98 registry hack to release DHCP leases at shutdown. On XP, you must set the DUN entry for use by anyone or you can't select it in the VPN client. To browse the network, you must manually enable Client for MS Networks. You also have to go into the Internet Protocol (TCP/IP) advanced properties and enable NetBios over TCP. The default settings on these two are off. It would be nice if Cisco would include this info in their documentation (hint, hint).

Hi,

Quick question. By enabling these ports would that make you more susceptible to DOS attacks?

Gene

Gene_vinyard@di-mgmt.com