Microsoft VPN Server Behind Cisco PIX 515e

[qusai]

Happy New Year All,

I have Cisco pix 515e, and I want to enable the Microsoft VPN server which is behind the PIX firewall,

I add the access lists and static command to the PIX, but when I want to connect from out side I get verifying user name and password, and then I get error 619.

below is the pix configuration, can you please assist me if this configuration is the correct one,



Note the Global IP is 222.210.117.27 and the internal VPN server IP is 192.168.4.2

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 fail security50
nameif ethernet3 guest security40
nameif ethernet4 dmz security20
nameif ethernet5 admin security80
enable password .xxxxxxxxxxxxxxxx encrypted
passwd .xxxxxxxxxxx encrypted
hostname firewallpix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out permit tcp any any eq https
access-list acl_out permit udp any any eq dnsix
access-list acl_out permit udp any any eq domain
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any gt 1023
access-list acl_out permit tcp any host 222.210.117.19 eq smtp
access-list acl_out permit tcp any host 222.210.117.20 eq www
access-list acl_out permit tcp any host 222.210.117.19 eq pop3
access-list acl_out permit tcp any host 222.210.117.19 eq www
access-list acl_out permit tcp any host 222.210.117.17
access-list acl_out permit tcp any host 222.210.117.18
access-list acl_out permit udp any any gt 1023
access-list acl_out permit esp any any
access-list acl_out permit udp any any eq isakmp
access-list acl_out permit tcp any host 222.210.117.20 eq smtp
access-list acl_out permit tcp any host 222.210.117.20 eq pop3
access-list acl_out permit tcp any any eq smtp
access-list acl_out permit tcp any any eq pop3
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 222.210.117.18 eq smtp
access-list acl_out permit tcp any host 222.210.117.23 eq ssh
access-list acl_out permit tcp any host 193.188.114.19 eq smtp
access-list acl_out permit tcp any host 193.188.114.19 eq www
access-list acl_out permit tcp any host 222.210.117.25 eq www
access-list acl_out permit tcp any any eq pptp
access-list acl_out permit tcp any host 222.210.117.27 eq pptp
access-list acl_out permit tcp any any eq 47
access-list acl_out permit tcp any host 222.210.117.27 eq 47
access-list acl_out permit icmp any host 222.210.117.27 echo
access-list acl_out permit gre any host 222.210.117.27
access-list acl_out permit udp any host 222.210.117.27 eq 47
access-list acl_dmz permit tcp any host 192.168.4.1 eq domain
access-list acl_dmz permit udp any host 192.168.4.1 eq domain
access-list acl_dmz permit tcp any host 192.168.4.1 eq 88
access-list acl_dmz permit udp any host 192.168.4.1 eq 88
access-list acl_dmz permit tcp any host 192.168.4.1 eq 135
access-list acl_dmz permit udp any host 192.168.4.1 eq 135
access-list acl_dmz permit tcp any host 192.168.4.1 eq 889
access-list acl_dmz permit udp any host 192.168.4.1 eq 889
access-list acl_dmz permit tcp any host 192.168.4.1 eq ldap
access-list acl_dmz permit udp any host 192.168.4.1 eq 389
access-list acl_dmz permit udp any host 192.168.4.1 eq 3268
access-list acl_dmz permit tcp any host 192.168.4.1 eq 3268
access-list acl_dmz permit tcp any host 192.168.4.1 eq www
access-list acl_dmz permit udp any host 192.168.4.1 eq 80
access-list acl_dmz permit udp any host 192.168.4.1 eq 25
access-list acl_dmz permit tcp any host 192.168.4.1 eq smtp
access-list acl_dmz permit tcp any host 192.168.4.1 eq pop3
access-list acl_dmz permit udp any host 192.168.4.1 eq 110
access-list acl_dmz permit udp any host 192.168.4.1 eq 143
access-list acl_dmz permit tcp any host 192.168.4.1 eq imap4
access-list acl_dmz permit tcp any host 192.168.4.1 eq 691
access-list acl_dmz permit udp any host 192.168.4.1 eq 691
access-list acl_dmz permit icmp any any
access-list acl_dmz permit tcp any host 192.168.4.1 gt 1024
access-list acl_dmz permit tcp any any
access-list acl_dmz permit udp any any
access-list acl_dmz permit ip any any
access-list acl_dmz permit udp any host 192.168.4.131 eq 80
access-list acl_dmz permit tcp any host 192.168.4.10 eq domain
access-list acl_dmz permit udp any host 192.168.4.10 eq domain
access-list acl_dmz permit tcp any host 192.168.4.10 eq 88
access-list acl_dmz permit udp any host 192.168.4.10 eq 88
access-list acl_dmz permit tcp any host 192.168.4.10 eq 135
access-list acl_dmz permit udp any host 192.168.4.10 eq 135
access-list acl_dmz permit tcp any host 192.168.4.10 eq 889
access-list acl_dmz permit udp any host 192.168.4.10 eq 889
access-list acl_dmz permit tcp any host 192.168.4.10 eq ldap
access-list acl_dmz permit udp any host 192.168.4.10 eq 389
access-list acl_dmz permit udp any host 192.168.4.10 eq 3268
access-list acl_dmz permit tcp any host 192.168.4.10 eq 3268
access-list acl_dmz permit tcp any host 192.168.4.10 eq www
access-list acl_dmz permit udp any host 192.168.4.10 eq 80
access-list acl_dmz permit udp any host 192.168.4.10 eq 25
access-list acl_dmz permit tcp any host 192.168.4.10 eq smtp
access-list acl_dmz permit tcp any host 192.168.4.10 eq pop3
access-list acl_dmz permit udp any host 192.168.4.10 eq 110
access-list acl_dmz permit udp any host 192.168.4.10 eq 143
access-list acl_dmz permit tcp any host 192.168.4.10 eq imap4
access-list acl_dmz permit tcp any host 192.168.4.10 eq 691
access-list acl_dmz permit udp any host 192.168.4.10 eq 691
access-list acl_dmz permit tcp any host 192.168.4.10 gt 1024
access-list acl_dmz permit tcp any host 192.168.4.2 eq pptp
access-list acl_dmz permit udp any host 192.168.4.2 eq 1723
access-list acl_dmz permit udp any host 192.168.4.2 eq 47
access-list acl_dmz permit tcp any host 192.168.4.2 eq 47
access-list acl_dmz permit icmp host 192.168.2.4 any echo-reply
access-list acl_temp permit ip any any
access-list acl_temp permit icmp any any
access-list acl_temp permit tcp any any
access-list acl_temp permit udp any any
access-list 110 permit tcp any host 222.210.117.27 eq pptp
access-list 110 permit gre any host 222.210.117.27
pager lines 24
logging on
logging console debugging
mtu outside 1500
mtu inside 1500
mtu fail 1500
mtu guest 1500
mtu dmz 1500
mtu admin 1500
ip address outside 82.194.40.3 255.255.255.248
ip address inside 10.10.99.254 255.255.255.0
ip address fail 172.17.1.254 255.255.255.0
ip address guest 192.168.31.2 255.255.255.0
ip address dmz 172.18.1.254 255.255.255.0
ip address admin 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 3
failover ip address outside 82.194.40.4
failover ip address inside 10.10.99.253
failover ip address fail 172.17.1.253
failover ip address guest 192.168.31.3
failover ip address dmz 172.18.1.253
failover ip address admin 192.168.2.2
failover link fail
failover lan unit primary
failover lan interface fail
failover lan key ********
failover lan enable
pdm history enable
arp timeout 14400
global (outside) 1 82.194.40.17-82.194.40.22 netmask 255.255.255.248
global (outside) 4 222.210.117.0-222.210.117.14 netmask 255.255.255.240
global (outside) 3 193.252.16.97-193.252.16.125 netmask 255.255.255.224
global (outside) 5 82.194.40.129-82.194.40.229 netmask 255.255.255.128
global (outside) 6 222.210.117.26-222.210.117.30 netmask 255.255.255.248
global (outside) 4 193.188.114.17-193.188.114.22 netmask 255.255.255.248
global (outside) 1 82.194.40.23
global (outside) 3 193.252.16.126
global (outside) 5 82.194.40.230
global (outside) 4 222.210.117.15 netmask 255.255.255.255
global (outside) 6 222.210.117.31
nat (inside) 5 0.0.0.0 0.0.0.0 0 0
nat (guest) 0 222.210.117.32 255.255.255.224 0 0
nat (guest) 0 82.194.41.0 255.255.255.128 0 0
nat (guest) 6 0.0.0.0 0.0.0.0 0 0
nat (dmz) 4 172.18.1.0 255.255.255.0 0 0
nat (admin) 4 0.0.0.0 0.0.0.0 0 0
static (admin,dmz) 192.168.4.1 192.168.4.1 netmask 255.255.255.255 0 0
static (dmz,outside) 222.210.117.20 172.18.1.10 netmask 255.255.255.255 0 0
static (dmz,outside) 222.210.117.19 172.18.1.9 netmask 255.255.255.255 0 0
static (admin,outside) 222.210.117.23 192.168.4.130 netmask 255.255.255.255 0 0
static (admin,outside) 222.210.117.25 192.168.4.131 netmask 255.255.255.255 0 0
static (admin,outside) 222.210.117.17 192.168.4.1 netmask 255.255.255.255 0 0
static (admin,outside) 222.210.117.22 192.168.10.138 netmask 255.255.255.255 0 0
static (admin,outside) 222.210.117.18 192.168.4.10 netmask 255.255.255.255 0 0
static (admin,dmz) 192.168.4.10 192.168.4.10 netmask 255.255.255.255 0 0
static (admin,outside) 222.210.117.27 192.168.4.2 netmask 255.255.255.255 0 0
static (admin,dmz) 192.168.4.2 192.168.4.2 netmask 255.255.255.255 0 0
static (inside,outside) 222.210.117.27 192.168.2.4 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_temp in interface guest
access-group acl_dmz in interface dmz
conduit permit icmp any any
conduit permit esp any any
conduit permit ip host 172.18.1.200 host 222.246.49.130
conduit permit gre any any
conduit permit gre host 222.210.117.27 any
conduit permit tcp host 222.210.117.27 eq pptp any
conduit permit tcp host 222.210.117.27 any eq pptp
route outside 0.0.0.0 0.0.0.0 82.194.40.1 1
route admin 10.10.100.0 255.255.255.0 192.168.2.254 1
route guest 222.210.117.32 255.255.255.224 192.168.31.1 1
route guest 82.194.41.0 255.255.255.0 192.168.31.1 1
route admin 192.168.4.0 255.255.255.0 192.168.2.254 1
route admin 192.168.5.0 255.255.255.0 192.168.2.254 1
route admin 192.168.6.0 255.255.255.0 192.168.2.254 1
route admin 192.168.7.0 255.255.255.0 192.168.2.254 1
route admin 192.168.8.0 255.255.255.0 192.168.2.254 1
route admin 192.168.9.0 255.255.255.0 192.168.2.254 1
route admin 192.168.10.0 255.255.255.0 192.168.2.254 1
route admin 192.168.11.0 255.255.255.0 192.168.2.254 1
route admin 192.168.12.0 255.255.255.0 192.168.2.254 1
route guest 192.168.32.0 255.255.252.0 192.168.31.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
snmp-server host admin 10.10.100.50
no snmp-server location
no snmp-server contact
snmp-server community bahrain1
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
isakmp nat-traversal 10
telnet 192.168.33.0 255.255.255.0 guest
telnet 172.18.1.0 255.255.255.0 dmz
telnet 192.168.0.0 255.255.0.0 admin
telnet 10.10.100.50 255.255.255.255 admin
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
firewallpix#





Thanks a lot and Best Wishes

Qusai

 

[fs483]

I don't seem to see any Access-group for you new Access-list 110... That might be one of the problems.

 

[qusai]

Hi akwong,
thanks alot for you your reply ,
what is the command for the access-group that i should add it ,
thanks indeed,