Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ to Inside Connection through a PIX 515 using PPTP

Status
Not open for further replies.
Stormcrow505

Stormcrow505

MIS
Apr 17, 2002
2
US
I am having trouble setting up the proper connections from my DMZ through my PIX 515 using PPTP to my Inside Network. I have a Windows 2000 Sever setup on my DMZ to be a Terminal Server to for my Back in Exchange Server. Giving Authinticated Users E-mail access through there their Web Browers... Microsoft has done their jig about what the Win2K admins are going to have to do on their end, so now it is up to me to do the network stuff. I have conduits set for the ports they require( conduit permit tcp host (ip_host) eq 1723 any, & conduit permit gre host (ip_host) any )
Something is not working though.

Does vpdn have to enabled on the DMZ interface, and if so what other configurations would have to be made.
 
Sort by date Sort by votes
HI.

First of all, placing the TS in the DMZ is quite risky, if from the TS you will be able to access the inside network as you are planning.
I think that a better design will be to control access to the TS server using VPN (either terminating at the pix or at the server itself. terminating at the pix seems better to me).

The possible problem in your design is that if an attacker gains access to the TS, it can then easily access your whole internal network via the PPTP connection.

Consider the following design - but you should remember that VPN is also a door for attackers:
* TS is still in DMZ, and Exchange is still "inside" as it is now (of course placing the mail server in DMZ is better if applicable).
* You configure the pix to terminate the VPN tunnels - better with IPSEC+RADIUS but if not then using PPTP.
* The pix configuration will allow VPN clients access ONLY to port 3389 to the TS.
* You allow access from TS to internal Exchange server using only a specific protocol. I suggest using IMAP with Outlook Express client. This is good for email but not for calendar. If you need calendar then you can use OWA via HTTP, accessible only to "inside" and "DMZ".

* There are many other options, like direct OWA or IMAP or POP3 access via the VPN tunnel. Each solution is different in its complexity, risks, usefullness for the end user and other factors.


Relating to your specific questions:
You will need a "static (inside,dmz) ..." command to allow the TS in the DMZ access the Exchange server in the "inside", using PPTP or any other protocol.
And no, VPDN does not need to be enabled on the DMZ interface. It should only be enabled on the outside interface for PPTP tunnels ENDING at the pix itself.

Oh, and I see that you're going to use TSAC so you probably have IIS on the TS, right? This is of course an additional major risk by itself. You did patch it with latest SRP right?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
686
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
597
Johnkite
Johnkite
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
157
kythri
kythri
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
141
iggsterman
iggsterman
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
521
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top