Passing MS VPN through PIX 501

[pdk68]

I need to pass MS VPN traffic from an inside computer to and outside host on the internet through a PIX. When I try and connect it gets to the authentication so I know it is getting out but it gives a server not responding. I tried putting a static and an access list in mapping 1723 which is what the vendor said there VPN was running on but this didn't help, Authentication is CHAP.

Thanks

 

[themut]

Hi,

You also need to open protocol 47 (GRE) on your access list. Hope this helps!

 

[yizhar]

HI.

And also you need to give the workstation a static mapping to registered ip address. PPTP over PAT does not work via the pix because PAT will not forward the GRE (IP protocol 47) traffic, no matter if you permit it in access-list.

So:
static (inside,outside) WorkstationIP RegisteredIP
access-list fromoutisde permit GRE host VPNSERVER host RegisteredIP
access-group fromoutside in interface outside

No need to permit incoming TCP port 1723 because the workstation initiates an outbound connection in your case.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[pdk68]

Ok so I statically mapped the outside IP to the inside machine making the VPN connection and allowed it in the access-list but it still doesn't work. Here is my config as it pertains to the MS VPN:

: Allow MS VPN Client.
access-list 103 permit tcp host *.*.*.161 host *.*.*.68 eq 1723
access-list 103 permit tcp host *.*.*.161 host *.*.*.68 eq 47
access-list 103 permit tcp host *.*.*.139 host *.*.*.68 eq 1723
access-list 103 permit tcp host *.*.*.139 host *.*.*.68 eq 47
access-list 103 permit tcp host *.*.*.21 host *.*.*.68 eq 1723
access-list 103 permit tcp host *.*.*.21 host *.*.*.68 eq 47

: Mapping for MS VPN CLient.
static (inside,outside) tcp *.*.*.68 1723 192.168.0.200 1723 netmask 255.255.255.255
static (inside,outside) tcp *.*.*.68 47 192.168.0.200 47 netmask 255.255.255.255

: Apply access-list 103 to outside interface
access-group 103 in interface outside

I know I have to be missing something but I just can't see it.

Thanks guys.

 

[bwilliam13]

Your config is incorrect.

All the access-list commands ending with "eq 47" should read:

access-list 103 permit gre host *.*.*.161 host *.*.*.68
access-list 103 permit gre host *.*.*.139 host *.*.*.68
access-list 103 permit gre host *.*.*.21 host *.*.*.68

Your static should read:

static (inside,outside) *.*.*.68 192.168.0.200 netmask 255.255.255.255 0 0

 

[pdk68]

Works great, my only question is will this static mess up any other static's or an ipsec vpn into the PIX? Right now I have to have an IPSec VPN into the box using the Cisco Client for remote LAN access. I don't have any other static mappings at this time but I want to be clear on what this will effect in the future, I only have one public IP to use. Is there a way to static just the GRE or the port 47 insted of all traffic?

Thanks for all the help, I have been beating my head against the wall for a few days and was unawre of the permit GRE I thought I had to permit the port number.

 

[yizhar]

HI.

You'll need more then a single registered ip address to do that. The pix does not support PPTP passthrough and also incoming VPN and other things overlapping on the same ip address.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar