Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Do I need to enable GRE protocol port ? 1
- Thread starter glory3321
- Start date
-
1
- #2
- Thread starter
- #3
BlueCrack,
Thanks for responding bluecarck, yes my mistake.
Can you comment on this :
My internal network IP is 192.168.25.0 255.255.255.0
I set my PPTP local IP pool to 192.168.25.101 - 192.168.25.115.
Is this fine assigning the PPTP pool with the same subnet of my internal network. Maybe this is the problem with the routing why I cannot ping the Internal network in the PPTP connection.
any comment ?
Thanks for responding bluecarck, yes my mistake.
Can you comment on this :
My internal network IP is 192.168.25.0 255.255.255.0
I set my PPTP local IP pool to 192.168.25.101 - 192.168.25.115.
Is this fine assigning the PPTP pool with the same subnet of my internal network. Maybe this is the problem with the routing why I cannot ping the Internal network in the PPTP connection.
any comment ?
- Thread starter
- #4
Hello BlueCrack,
I noticed in the console logging file, it seems it does not allow to ping internally. Here is the log of the PIX.
106010: Deny inbound icmp src outside:192.168.20.150 dst inside:192.168.25.81 (t ype 8, code 0)
106011: Deny inbound (No xlate) tcp src outside:192.168.20.150/1237 dst outside
Here is the only access-list that I define from PIX
access-list japvpn permit ip 192.168.0.0 255.255.0.0 130.2.0.0 255.255.0.0
The Nat I define is
nat (inside) 0 access-list japvpn
Conduit permit icmp any any
ip local pool pptp-pool 192.168.20.150-192.168.20.159
Everything seems to be fine, including login, internal network can view the PPTP client.
However PPTP client cannot ping the Internal network, beign block by PIX. Is there away to allow PPTP client to ping and access the resource of internal network.
What comamnd shall i used ?
Thanks
Glory3321
I noticed in the console logging file, it seems it does not allow to ping internally. Here is the log of the PIX.
106010: Deny inbound icmp src outside:192.168.20.150 dst inside:192.168.25.81 (t ype 8, code 0)
106011: Deny inbound (No xlate) tcp src outside:192.168.20.150/1237 dst outside
Here is the only access-list that I define from PIX
access-list japvpn permit ip 192.168.0.0 255.255.0.0 130.2.0.0 255.255.0.0
The Nat I define is
nat (inside) 0 access-list japvpn
Conduit permit icmp any any
ip local pool pptp-pool 192.168.20.150-192.168.20.159
Everything seems to be fine, including login, internal network can view the PPTP client.
However PPTP client cannot ping the Internal network, beign block by PIX. Is there away to allow PPTP client to ping and access the resource of internal network.
What comamnd shall i used ?
Thanks
Glory3321
The only other thing I can remember doing is adding an access-list to nat 0.
access-list pptp-list permit ip any host 192.168.20.150
access-list pptp-list permit ip any host 192.168.20.151
access-list pptp-list permit ip any host 192.168.20.152
access-list pptp-list permit ip any host 192.168.20.153
access-list pptp-list permit ip any host 192.168.20.154
access-list pptp-list permit ip any host 192.168.20.155
access-list pptp-list permit ip any host 192.168.20.156
access-list pptp-list permit ip any host 192.168.20.157
access-list pptp-list permit ip any host 192.168.20.158
access-list pptp-list permit ip any host 192.168.20.159
nat (inside) 0 access-list pptp-list
That should prevent packets from internal hosts from being nated when they go to the VPN users.
What version of the PIX software are you running?
Bluecrack
access-list pptp-list permit ip any host 192.168.20.150
access-list pptp-list permit ip any host 192.168.20.151
access-list pptp-list permit ip any host 192.168.20.152
access-list pptp-list permit ip any host 192.168.20.153
access-list pptp-list permit ip any host 192.168.20.154
access-list pptp-list permit ip any host 192.168.20.155
access-list pptp-list permit ip any host 192.168.20.156
access-list pptp-list permit ip any host 192.168.20.157
access-list pptp-list permit ip any host 192.168.20.158
access-list pptp-list permit ip any host 192.168.20.159
nat (inside) 0 access-list pptp-list
That should prevent packets from internal hosts from being nated when they go to the VPN users.
What version of the PIX software are you running?
Bluecrack
- Thread starter
- #6
Let's backup a step. Is the problem: the vpn connection is not established? Or is the problem: once the vpn connectionis established, the vpn user cannot hit any server inside your network?
I believe the problem is the later. If so, then you will need routes on the PIX to any subnet behind a router internally. More importantly though you need to be able to get those packets past the firewall.
You said you added the access-list and the nat 0 statement. What do the logs say now when a user connects and trys to hit a server inside the network?
Bluecrack
I believe the problem is the later. If so, then you will need routes on the PIX to any subnet behind a router internally. More importantly though you need to be able to get those packets past the firewall.
You said you added the access-list and the nat 0 statement. What do the logs say now when a user connects and trys to hit a server inside the network?
Bluecrack
- Thread starter
- #8
Hi BlueCrack,
After Adding the acces-list, it still give me the same error. PIX is not permitting 106010: Deny inbound icmp src outside.
Below is the config of my PIX firewall, I manage to connect VPN though PIX to PIX. But for PPTP I still cannot make it work.
Although PPTP client (Windows client) can login to PIX however PPTP client cannot still hit any internal server or client. BElow is my config.. maybe I still miss something in the access-list.
PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UMoJELdsuEIrsLkv encrypted
passwd DZ0dwapx1vD4rfD8 encrypted
hostname Pix506
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol domain 25
fixup protocol http 8080
names
access-list testvpn permit ip 192.168.0.0 255.255.255.0 130.2.0.0 255.255.0.0
access-list testvpn permit ip any host 192.168.30.100
access-list testvpn permit ip any host 192.168.30.101
access-list testvpn permit ip any host 192.168.30.103
no logging on
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x x.x.x.x
ip address inside 192.168.25.56 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.30.100-192.168.30.110
arp timeout 14400
global (outside) 1 x.x.x.x
nat (inside) 0 access-list testvpn
nat (inside) 1 192.168.25.0 255.255.255.0 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
conduit permit icmp any any
conduit permit gre any any
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 x.x.x.x
route inside 192.167.30.0 255.255.255.0 192.168.25.1 1
route inside 192.168.50.0 255.255.255.0 192.168.25.1 1
route inside 192.168.75.0 255.255.255.0 192.168.25.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set set1 esp-des esp-md5-hmac
crypto map vpn-traffic 10 ipsec-isakmp
crypto map vpn-traffic 10 match address testvpn
crypto map vpn-traffic 10 set peer x.x.x.x
crypto map vpn-traffic 10 set transform-set set1
crypto map vpn-traffic interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 3600
telnet 192.168.25.0 255.255.255.0 inside
telnet 130.2.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication local
vpdn username xxxxxx
vpdn username xxxxxx
vpdn enable outside
terminal width 80
Cryptochecksum:489c591cedc1dc94e1034f5cc2976440
: end
[OK]
Pix506jpn#
After Adding the acces-list, it still give me the same error. PIX is not permitting 106010: Deny inbound icmp src outside.
Below is the config of my PIX firewall, I manage to connect VPN though PIX to PIX. But for PPTP I still cannot make it work.
Although PPTP client (Windows client) can login to PIX however PPTP client cannot still hit any internal server or client. BElow is my config.. maybe I still miss something in the access-list.
PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UMoJELdsuEIrsLkv encrypted
passwd DZ0dwapx1vD4rfD8 encrypted
hostname Pix506
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol domain 25
fixup protocol http 8080
names
access-list testvpn permit ip 192.168.0.0 255.255.255.0 130.2.0.0 255.255.0.0
access-list testvpn permit ip any host 192.168.30.100
access-list testvpn permit ip any host 192.168.30.101
access-list testvpn permit ip any host 192.168.30.103
no logging on
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x x.x.x.x
ip address inside 192.168.25.56 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.30.100-192.168.30.110
arp timeout 14400
global (outside) 1 x.x.x.x
nat (inside) 0 access-list testvpn
nat (inside) 1 192.168.25.0 255.255.255.0 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
conduit permit icmp any any
conduit permit gre any any
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 x.x.x.x
route inside 192.167.30.0 255.255.255.0 192.168.25.1 1
route inside 192.168.50.0 255.255.255.0 192.168.25.1 1
route inside 192.168.75.0 255.255.255.0 192.168.25.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set set1 esp-des esp-md5-hmac
crypto map vpn-traffic 10 ipsec-isakmp
crypto map vpn-traffic 10 match address testvpn
crypto map vpn-traffic 10 set peer x.x.x.x
crypto map vpn-traffic 10 set transform-set set1
crypto map vpn-traffic interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 3600
telnet 192.168.25.0 255.255.255.0 inside
telnet 130.2.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication local
vpdn username xxxxxx
vpdn username xxxxxx
vpdn enable outside
terminal width 80
Cryptochecksum:489c591cedc1dc94e1034f5cc2976440
: end
[OK]
Pix506jpn#
First, I noticed a few things in the config.
1. What do you have two NAT 1 statements that let the same traffic out? I would assume you could remove the first one and leave 'nat (inside) 1 192.168.0.0 255.255.0.0'.
2. Is this statement correct? 'route inside 192.167.30.0 255.255.255.0 192.168.25.1 1' Based on all your other routes I would assume you are using 192.168.x.x internally.
Next, I think the access-list testvpn may need to be changed. Try creating a new list like the following:
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 host 192.168.30.100
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 host 192.168.30.101
etc.
Then bind this access list to the NAT 0 statement. This way you can save your other access-list while you test. This access-list should permit vpn clients to hit hosts on the 192.168.25.x/24 subnet. You will need to add entries in the ACL to allow access to/from hosts on other subnets.
Finally, If you are using 192.168.30.x inside somewhere then you should change the VPN clients to use something else, perhaps 192.168.31.x/24
I hope this helps. I will check my pix 5.3(1) config when I get to work and compare it with yours.
Bluecrack
1. What do you have two NAT 1 statements that let the same traffic out? I would assume you could remove the first one and leave 'nat (inside) 1 192.168.0.0 255.255.0.0'.
2. Is this statement correct? 'route inside 192.167.30.0 255.255.255.0 192.168.25.1 1' Based on all your other routes I would assume you are using 192.168.x.x internally.
Next, I think the access-list testvpn may need to be changed. Try creating a new list like the following:
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 host 192.168.30.100
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 host 192.168.30.101
etc.
Then bind this access list to the NAT 0 statement. This way you can save your other access-list while you test. This access-list should permit vpn clients to hit hosts on the 192.168.25.x/24 subnet. You will need to add entries in the ACL to allow access to/from hosts on other subnets.
Finally, If you are using 192.168.30.x inside somewhere then you should change the VPN clients to use something else, perhaps 192.168.31.x/24
I hope this helps. I will check my pix 5.3(1) config when I get to work and compare it with yours.
Bluecrack
Glory3321
Sorry for the delay. I've had some problems at work I had to deal with. When I ran the pptp protocol I had the following setup. (note: I modified the addressing to use the 192.168.30.x network as you have)
ip local pool pptp-pool 192.168.30.100-192.168.30.109
access-list pptpvpn permit ip any hos 192.168.30.100
access-list pptpvpn permit ip any hos 192.168.30.101
access-list pptpvpn permit ip any hos 192.168.30.102
access-list pptpvpn permit ip any hos 192.168.30.103
access-list pptpvpn permit ip any hos 192.168.30.104
access-list pptpvpn permit ip any hos 192.168.30.105
access-list pptpvpn permit ip any hos 192.168.30.106
access-list pptpvpn permit ip any hos 192.168.30.107
access-list pptpvpn permit ip any hos 192.168.30.108
access-list pptpvpn permit ip any hos 192.168.30.109
nat 0 (inside) access-list pptpvpn
aaa-server myradius protocol radius
aaa-server myradius (inside) host x.x.x.x pwd timeout 5
aaa-server myradius (inside) host y.y.y.y pwd timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40 required
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns x.x.x.x y.y.y.y
vpdn group 1 client authentication aaa myradius
vpdn enable outside
sysopt connection permit-pptp
Hope this helps.
Bluecrack
Sorry for the delay. I've had some problems at work I had to deal with. When I ran the pptp protocol I had the following setup. (note: I modified the addressing to use the 192.168.30.x network as you have)
ip local pool pptp-pool 192.168.30.100-192.168.30.109
access-list pptpvpn permit ip any hos 192.168.30.100
access-list pptpvpn permit ip any hos 192.168.30.101
access-list pptpvpn permit ip any hos 192.168.30.102
access-list pptpvpn permit ip any hos 192.168.30.103
access-list pptpvpn permit ip any hos 192.168.30.104
access-list pptpvpn permit ip any hos 192.168.30.105
access-list pptpvpn permit ip any hos 192.168.30.106
access-list pptpvpn permit ip any hos 192.168.30.107
access-list pptpvpn permit ip any hos 192.168.30.108
access-list pptpvpn permit ip any hos 192.168.30.109
nat 0 (inside) access-list pptpvpn
aaa-server myradius protocol radius
aaa-server myradius (inside) host x.x.x.x pwd timeout 5
aaa-server myradius (inside) host y.y.y.y pwd timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40 required
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns x.x.x.x y.y.y.y
vpdn group 1 client authentication aaa myradius
vpdn enable outside
sysopt connection permit-pptp
Hope this helps.
Bluecrack
- Thread starter
- #11
Hi BlueCrack !,
Thanks for your help.. It works by applying the pptpvpn to nat 0.
But my existing nat 0 is being used by another VPN connection which is PIX to PIX connection, which is operational and functioning very well.
Can I bind two access-list in nat 0 ( pptpvpn and japvpn) ?
Is there another way on how to bind pptpvpn aside from nat 0 ?
Thanks !
Thanks for your help.. It works by applying the pptpvpn to nat 0.
But my existing nat 0 is being used by another VPN connection which is PIX to PIX connection, which is operational and functioning very well.
Can I bind two access-list in nat 0 ( pptpvpn and japvpn) ?
Is there another way on how to bind pptpvpn aside from nat 0 ?
Thanks !
- Thread starter
- #13
Hi Bluecrack !,
How are you lately, first of all you are very helpfull indeed in solving my problem in PIX. I think this will be my last question on this problem to solve it.
HOw can I combind these two access-list in one access-list and bind it to NAT 0
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 130.2.0.0 255.255.0.0
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 192.168.30.0 255.255.255.0
thanks !
glory3321
How are you lately, first of all you are very helpfull indeed in solving my problem in PIX. I think this will be my last question on this problem to solve it.
HOw can I combind these two access-list in one access-list and bind it to NAT 0
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 130.2.0.0 255.255.0.0
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 192.168.30.0 255.255.255.0
thanks !
glory3321
I've been really busy.
You should be able to take the statments from both access-lists and put them both in one access-list. Then use that access-list to the NAT 0 statement. It looks like you've got.
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 130.2.0.0 255.255.0.0
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 192.168.30.0 255.255.255.0
nat 0 (inside) access-list pptpvpn
That should do the trick. I don't know of any problems with this. NAT 0 with the access-list command should just not NAT the traffic specified the the access-lists.
Bluecrack
You should be able to take the statments from both access-lists and put them both in one access-list. Then use that access-list to the NAT 0 statement. It looks like you've got.
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 130.2.0.0 255.255.0.0
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 192.168.30.0 255.255.255.0
nat 0 (inside) access-list pptpvpn
That should do the trick. I don't know of any problems with this. NAT 0 with the access-list command should just not NAT the traffic specified the the access-lists.
Bluecrack
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question