HAIRPIN 6.3 with 2 outside interfaces and PPTP VPN

[aabc123]

Hi All;

I Hope somebody can share some light on this problem i have created.

I am using PIX515 6.3.5

I have developed an application that sits on the Salesman laptops, it is based on apache web server at port 80.

My idea is that the user connects to the corporate network via PPTP and makes the data of his application available to other users, basically is this:

WINXP_LAPTOP<-->PPTP_VPN<-->PIX INT_0<-->INTRANET WITH DMZ QUERY<-->INT_1<-->WEB

Laptop user VPNs into the Interface 0 of the PIX, the main server is on the DMZ on the interface 2, the server processes the info and makes it avalilable via Interface 1.

I have tried all sorts of config, even bought another firewall but no chance. My biggest issue is that the pix does not allow 2 interfaces to share the same network space.

I think i need an ethernet router to sit in front of the two outside ports of the PIX to route traffic between the two interfaces.

i know it sounds confusing, but i have been cracking head for a week now.

This link shows a diagram of what i am trying to achieve.

Thanks for your help

Lucio

 

[BuckWeet]

Upgrade to pix code 7.x and newer.. It supports hair-pinning/same interface routing..

 

[Supergrrover]

It would help to post your config but it looks like routing would be a problem. I think buckweet's post is in the right direction.
Take a look at these

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

http://www.cisco.com/en/US/products...s_configuration_example09186a00805734ae.shtml

http://www.cisco.com/en/US/products...s_configuration_example09186a008046f307.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[aabc123]

HI Brent and Buckweet;

Thanks for your responces.

That's where i have the biggest problem Upgrading, if i upgrade to 7.x or 8.x, i loose the PPTP functionality that is built-in the PIX, hence the two outside interfaces.

I even trided upgrading the pix to 8.x and placing a PIX506E behind the pix, and no luck.

Any other ideas pls?

Thanks

Lucio

 

[BuckWeet]

Could you switch over to a VPN client?? The VPN Client will offer better performance and network compatabilities (NAT Traversal, split tunneling, etc..)

 

[Supergrrover]

I would second Buckweet's suggestion of using IPSEC instead. It's so much more powerful as far as options and abilities. Even if you put the 506 behind it you still have the same problem of hairpinning or routing.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[aabc123]

Hi guys;

How about if terminate the PPTP on the inside interface, and have a port tranlation from outside to the inside interface?

I would love to use ipsec, but my application requires PPTP

Thanks

Lucio

 

[Supergrrover]

Can you describe the network path in detail. So to what I get now is - traffic passes from the customer pc to the pix and then bounces back out to the sale pc without hitting the web server or internal network?

I don't think you can do it with just one. You might try a PPTP server inside the network and terminate it that way. Having a linux or windows server be the PPTP endpoint inside and mapping separate IP/ports for those purposes.

I'm out of ideas after that.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[BuckWeet]

Not to force the option, but why would your application be tied to PPTP??

 

[aabc123]

Hi Guys;

Thanks for your notes, but i couldn't make it work,

I have purchased another PIX to use as the PPTP concentrator, this is a PIX506E, the new layout is:

http://www.disco3.co.uk/gallery/albums/userpics/14196/normal_PPTP_2.GIF

I can from the 172.16.2.0 network, with a test laptop, ping and browse (apache) the application on the salesman laptop.

I have a static map from the pix 515 to the Inside interface of the PIX506, which in turn translates to the PPTP IP Address, but i am getting a no route to the requestor IP address from the PIX 506.

This is my config on the PIX506E:


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd

hostname 506gatekeeper
domain-name ko.com

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

names
name 10.10.3.1 VPN
name 172.16.2.12 wew

access-list inside_outbound_nat0_acl permit ip any 10.10.3.0 255.255.255.0
access-list 100 permit tcp any host 172.16.2.10 eq www
access-list 100 permit tcp any host 172.16.2.11 eq www
access-list inside_access_in permit tcp any host wew eq www
access-list inside_access_in permit tcp any host 172.16.2.11 eq www
access-list inside_access_in permit tcp any host 172.16.2.10 eq www

pager lines 24
logging on
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500

ip address outside 78.86.1.1 255.255.240.0
ip address inside 172.16.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_POOL VPN-10.10.3.254 mask 255.255.255.0

pdm location 172.16.2.254 255.255.255.255 inside
pdm logging debugging 100
pdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (outside,inside) tcp 172.16.2.13

http://www 10.10.3.1

http://www netmask

255.255.255.255 0 0
static (outside,inside) tcp 172.16.2.11

http://www 10.10.3.2

http://www netmask

255.255.255.255 0 0
static (outside,inside) tcp 172.16.2.10

http://www 10.10.3.3

http://www netmask

255.255.255.255 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 78.86.192.1 1
route inside 172.16.2.254 255.255.255.255 172.16.2.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local

http server enable

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local VPN_POOL
vpdn group PPTP-VPDN-GROUP client configuration dns 87.194.0.51 87.194.0.66
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username ko password *********
vpdn enable outside

######################################################################################
This is the PIX515 Config Version 8.0.3:

hostname 515gatekeeper
domain-name ko.com

!
names
name 192.168.1.100 WEB_SERVER
name 78.86.192.1 GATEWAY
!
!
interface Ethernet0
nameif outside
security-level 0
no ip address
ip address 78.86.1.2 255.255.240.0
no shutdown
!
interface Ethernet1
nameif inside
security-level 100
no ip address
ip address 172.16.2.254 255.255.255.0
no shutdown
!
interface Ethernet2
nameif dmz
security-level 50
no ip address
ip address 192.168.1.254 255.255.255.0
no shutdown
!
ftp mode passive

dns server-group DefaultDNS

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface



access-list ACLOUT extended permit tcp any host 78.86.1.214 eq www

access-list ACLOUT extended permit tcp any host 78.86.1.196 eq www
access-list ACLOUT extended permit tcp any host 78.86.1.196 eq https
access-list ACLOUT extended permit tcp PublicHomeNetwork 255.255.255.0 host 78.86.1.196 eq ftp
access-list ACLOUT extended permit tcp PublicHomeNetwork 255.255.255.0 host 78.86.1.196 eq ftp-data
access-list ACLOUT extended permit tcp PublicHomeNetwork 255.255.255.0 host 78.86.1.196 eq ssh
access-list ACLOUT extended permit tcp PublicHomeNetwork 255.255.255.0 host 78.86.1.196 eq 10000
access-list ACLOUT extended permit tcp object-group MailHopRelayGroup host 78.86.1.196 eq smtp
access-list http-list2 extended permit tcp any host 78.86.1.195
access-list http-list2 extended permit tcp any host 78.86.1.196



############################

access-list dmz_access_in extended permit ip any any


!
tcp-map mss-map
exceed-mss allow
!
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control

global (outside) 1 interface
global (outside) 1 78.86.1.197 netmask 255.255.255.255
global (outside) 1 78.86.1.198 netmask 255.255.255.255

nat (outside) 0 172.16.1.0 255.255.255.0
nat (outside) 0 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 78.86.1.214

http://www 172.16.2.10

http://www netmask

255.255.255.255

static (dmz,outside) tcp 78.86.1.196

http://www WEB_SERVER

http://www netmask

255.255.255.255
static (dmz,outside) tcp 78.86.1.196 ftp WEB_SERVER ftp netmask 255.255.255.255
static (dmz,outside) tcp 78.86.1.196 ftp-data WEB_SERVER ftp-data netmask 255.255.255.255
static (dmz,outside) tcp 78.86.1.196 smtp WEB_SERVER smtp netmask 255.255.255.255
static (dmz,outside) tcp 78.86.1.196 ssh WEB_SERVER ssh netmask 255.255.255.255
static (dmz,outside) tcp 78.86.1.196 https WEB_SERVER https netmask 255.255.255.255
static (dmz,outside) tcp 78.86.1.196 3389 192.168.1.101 3389 netmask 255.255.255.255
static (dmz,outside) tcp 78.86.1.196 10000 WEB_SERVER 10000 netmask 255.255.255.255


access-group ACLOUT in interface outside



############################

access-group dmz_access_in in interface dmz


route outside 0.0.0.0 0.0.0.0 GATEWAY 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

http server enable
http 10.10.10.1 255.255.255.255 inside
http 172.16.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 dmz

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 5
!
threat-detection basic-threat
threat-detection statistics
!

!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp

service-policy global_policy global
service-policy http-map1 interface outside

smtp-server 192.168.1.100
prompt hostname context

asdm image flash:/asdm-603.bin
no asdm history enable



Thanks

Lucio

 

[BuckWeet]

You are going to have to either move to PIX 7+ and move to the IPSEC client. Or you need to move the PPTP services to a server (NT or linux box)..

I still would like to know why an application is tied to PPTP..

BuckWeet

 

[aabc123]

i BuckWeet;

Is this because of routingissues?

I don't mind telling you but in private, if i may, pls?

Are you OK based?

Thanks

Lucio

 

[BuckWeet]

Its a technical limitation of the PIX 6.x You cannot route out the same interface that traffic was received on..

If you were to move your PPTP to a linux/windows box, this limitation is removed.

As for the app issue, I guess all I'm looking for is.. "the app has ties built into" what happens if microsoft release an update, OS change, etc?? this would break your app.


Hope this helps

BuckWeet

 

[aabc123]

Hi BuckWeet;

Thanks.

Where are you in this world?

I would like to talk to you and share with you my project, you might want to take part on it.

Trust me it is the dogs bo****ks

Regards

Lucio