Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Help !! Need to create VPN PIX-to-Windows2000 SERVER
- Thread starter KVP
- Start date
HI!
Give more info:
What are your needs?
Do you need access to all the internal network behind the 2000 or just a few servers?
How is the 2000 server currently configureed?
Does the 2000 server already provide VPN (if so, in what technique?)
Is a RSA certificate installed on the 2000 server for L2TP?
Is the ISA firewall installed on the 2000 server?
Is the 2000 server going to provide access to the internal network or just to itself?
Is there another firewall protecting the 2000 server? have you considered terminating the VPN tunnel there?
Do you need tunneling (encapsulating private IP addresses) or will IPSec encryption using transport mode be sufficient and simplier for you?
What version of PIX do you have?
What is your knowledge in general about PIX , IPSec, and W2K?
Here are some tips:
W2K RRAS server provides VPN using 2 technologies:
PPTP - This is not relevant since the PIX cannot act as a PPTP client (as far as I know).
L2TP - If you want win2000 to act as L2TP VPN server, it must have RSA certificate installed.
I myself have not tried this before, but with more info you'll get better answers.
Bye
Yizhar Hurwitz
Give more info:
What are your needs?
Do you need access to all the internal network behind the 2000 or just a few servers?
How is the 2000 server currently configureed?
Does the 2000 server already provide VPN (if so, in what technique?)
Is a RSA certificate installed on the 2000 server for L2TP?
Is the ISA firewall installed on the 2000 server?
Is the 2000 server going to provide access to the internal network or just to itself?
Is there another firewall protecting the 2000 server? have you considered terminating the VPN tunnel there?
Do you need tunneling (encapsulating private IP addresses) or will IPSec encryption using transport mode be sufficient and simplier for you?
What version of PIX do you have?
What is your knowledge in general about PIX , IPSec, and W2K?
Here are some tips:
W2K RRAS server provides VPN using 2 technologies:
PPTP - This is not relevant since the PIX cannot act as a PPTP client (as far as I know).
L2TP - If you want win2000 to act as L2TP VPN server, it must have RSA certificate installed.
I myself have not tried this before, but with more info you'll get better answers.
Bye
Yizhar Hurwitz
- Thread starter
- #3
What are your needs? Create VPN.
Do you need access to all the internal network behind the 2000 or just a few servers? A few servers.
How is the 2000 server currently configureed? I don’t now.
Does the 2000 server already provide VPN (if so, in what technique?) YES
Is a RSA certificate installed on the 2000 server for L2TP? I don’t now.
Is the ISA firewall installed on the 2000 server? NO
Is the 2000 server going to provide access to the internal network or just to itself? May be.
Is there another firewall protecting the 2000 server? No
have you considered terminating the VPN tunnel there?
I need transfer some file trous VPN, form different PC (LAN) to win2000
What version of PIX do you have? PIX 515
What is your knowledge in general about PIX , IPSec, and W2K? PIX 6 mans
Here are some tips:
W2K RRAS server provides VPN using 2 technologies:
PPTP - This is not relevant since the PIX cannot act as a PPTP client (as far as I know).
L2TP - If you want win2000 to act as L2TP VPN server, it must have RSA certificate installed.
I open some ports on pix and create L2TP VPN from LAN to win2000, but it is not good.
I have a PIX 515.
Win200 install in different organization.
Do you need access to all the internal network behind the 2000 or just a few servers? A few servers.
How is the 2000 server currently configureed? I don’t now.
Does the 2000 server already provide VPN (if so, in what technique?) YES
Is a RSA certificate installed on the 2000 server for L2TP? I don’t now.
Is the ISA firewall installed on the 2000 server? NO
Is the 2000 server going to provide access to the internal network or just to itself? May be.
Is there another firewall protecting the 2000 server? No
have you considered terminating the VPN tunnel there?
I need transfer some file trous VPN, form different PC (LAN) to win2000
What version of PIX do you have? PIX 515
What is your knowledge in general about PIX , IPSec, and W2K? PIX 6 mans
Here are some tips:
W2K RRAS server provides VPN using 2 technologies:
PPTP - This is not relevant since the PIX cannot act as a PPTP client (as far as I know).
L2TP - If you want win2000 to act as L2TP VPN server, it must have RSA certificate installed.
I open some ports on pix and create L2TP VPN from LAN to win2000, but it is not good.
I have a PIX 515.
Win200 install in different organization.
HI!
One option - Ask the 2000 administrator to provide FTP limitted to your IP addresses and protected with strong passwords as a temporary solution if its urgent and relevant.
For the problem itself, here is what I would do:
* Send the unanswered questions to the 2000 admin, and ask for his cooperation.
* Take a Win2000 machine (pro or server) try to VPN.
If it doesn't work through the PIX, then use a dial-up line or put the test machine outside of the PIX if you can. This will later be changed.
* Now you can VPN 2000 to 2000? Great! What next?
* Set your 2000 test machine to L2TP only (disable PPTP).
* Can you VPN now? OOPS... I guess you can't.
If you can't then your PIX won't do it also (PIX isn't a PPTP client).
* So? what's now?
* Maybe your router can be a PPTP client - I myself don't know but you can check out. I guess it can't (but again I don't know).
* So you can try now to set the 2000 to PPTP and now you want to put it "inside" the PIX. Right?
* Put the 2000 inside the PIX, give it the correct IP, and use STATIC to map it to a registerred IP outside the PIX. This can solve some problems.
* Try to VPN from the 2000. You might need to open the PIX for GRE trafic and TCP port 1723:
conduit permit TCP host 2000client eq 1723 host vpnserver
conduit permit gre host ... host ...
or:
access-list aclout permit tcp host vpnserver host 2000client eq 1723
access-list aclout permit gre ....
* Works now from 2000 machine? Is it better then nothing?
You still want to access from other machines right?
So now you can try same solution for other few PPTP clients, or try using an 2000 server as RRAS with DDR server to share the connection with other clients.
* Another option is to try the PIX to 2000 solution you were looking for.
I think that you'll need the 2000 vpnserver administrator cooperation for this.
Bye
Yizhar Hurwitz
One option - Ask the 2000 administrator to provide FTP limitted to your IP addresses and protected with strong passwords as a temporary solution if its urgent and relevant.
For the problem itself, here is what I would do:
* Send the unanswered questions to the 2000 admin, and ask for his cooperation.
* Take a Win2000 machine (pro or server) try to VPN.
If it doesn't work through the PIX, then use a dial-up line or put the test machine outside of the PIX if you can. This will later be changed.
* Now you can VPN 2000 to 2000? Great! What next?
* Set your 2000 test machine to L2TP only (disable PPTP).
* Can you VPN now? OOPS... I guess you can't.
If you can't then your PIX won't do it also (PIX isn't a PPTP client).
* So? what's now?
* Maybe your router can be a PPTP client - I myself don't know but you can check out. I guess it can't (but again I don't know).
* So you can try now to set the 2000 to PPTP and now you want to put it "inside" the PIX. Right?
* Put the 2000 inside the PIX, give it the correct IP, and use STATIC to map it to a registerred IP outside the PIX. This can solve some problems.
* Try to VPN from the 2000. You might need to open the PIX for GRE trafic and TCP port 1723:
conduit permit TCP host 2000client eq 1723 host vpnserver
conduit permit gre host ... host ...
or:
access-list aclout permit tcp host vpnserver host 2000client eq 1723
access-list aclout permit gre ....
* Works now from 2000 machine? Is it better then nothing?
You still want to access from other machines right?
So now you can try same solution for other few PPTP clients, or try using an 2000 server as RRAS with DDR server to share the connection with other clients.
* Another option is to try the PIX to 2000 solution you were looking for.
I think that you'll need the 2000 vpnserver administrator cooperation for this.
Bye
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
