501 Outbound PPTP across NAT w/dynamic ip

[Guest_imported]

Having read the Cisco documentation til I'm blue in the face, I think I might be trying the impossible on my PIX 501.

I am using NAT with an outside dynamic IP which is fine for ordinary traffic except PPTP. In attempting to use PPTP to a FQDN'd PPTP servers (not static IPs), I seem to be beyond what the PIX offers (at least on v6.1(2)). Sonicwall appliances do this w/o a hitch <sigh>.

I know about GRE, the ports it uses, etc. What I can't figure out is how to configure the PIX to allow PPTP as above using NAT, pix-side dynamic ip and attempting to build a PPTP pipe to named PPTP servers.

Any suggestions? Would PIX v6.2(x) add a requisite feature?

Cheers,

David

 

[Guest_imported]

I'd be very interested in knowing if anyone can answer this as it seems to be a rather common issue.

 

[yizhar]

HI.

As far as I understand, the pix can't do it.
pix OS 6.2 does not add this support (it adds an &quot;easy VPN&quot; client but this is for IPSEC).

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Guest_imported]

The following tech doc explains Pix PPTP support:

http://www.cisco.com/warp/customer/110/pix_pptp.html

 

[Guest_imported]

Yizhar,

Thanks for your response. I'm come to see you as some kind of PIXen guru. ;^)

Best regards,

David

 

[netwrkr]

Acutally you can do outgoing PPTP on a PIX 501. I know because I am doing it at home. One thing to remember the PIX 501 has the same os / feature set as its bigger brothers i.e. 515, 525 etc. The biggest different is the interfaces in the 501 are fixed and not upgradeable and you are limited to the amount of IPSEC tunnels and throughput.

So, to do outbound PPTP through a 501 with a dynamic routeable IP address you need to do the following:

1. create a static that looks like
static (inside,outside) PPTP_server netmask inside_workstation netmask


2. I believe you also need to allow either ISAKMP replies or GRE in on your external interface. -- Look for denied packets and modify accordingly.

The thing to remember about PPTP is that it requires a routeable NAT address vice what you currently have which is a routeable PAT address -- Cisco PIX speaking NAT = more than 1 IP addy and PAT = only 1. Thus, the need for the static statement above.

One thing to keep in mind is if you have other workstations on your network, after you apply the static statment only the workstation you are PPTPin from will be able to pass traffic through the PIX until such time as you remove that static and type 'clear xlate' or 'clear xlate static'.

I wasn't clear from some of the above statements, but the 501 can run PIX os 6.2(2).


Tom

 

[Guest_imported]

Tom,

Thanks for the info, but the static statement will not work as its format is:

static (inside,outside) 209.165.201.5 10.48.66.106 netmask 255.255.255.255 0 0

Our PPTP servers' IPs change all the time and thus must use FQDNs (not IPs). The static statement doesn't allow for that.

The same is true with the statements to allow GRE responses such as:

access-list acl-out permit gre host 209.165.201.25 host 209.165.201.5

If you know of another way, please share.

Thanks!

Source:

http://www.cisco.com/warp/public/110/pix_pptp.html

 

[netwrkr]

Sounds like you need to write a short perl script that would run periodically to check to see if the IP of the PPTP server has changed based on doing an nslookup on the FQDN. If the script found that it had changed it would log into the PIX and update accordingly.

This would be relatively trivial -- probably about 25 lines of code.

Tom