Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 501 VPN Pass-through

Status
Not open for further replies.
RTAdams89

RTAdams89

IS-IT--Management
Aug 20, 2009
3
US
Hello everyone. We have a network that consists of a SBS 2003 server which handles all the DHCP/DNS on the LAN. Also connected to the switches is a DSL modem for Internet access. Between the modem and the LAN switches is a PIX 501. When it was setup, it was configured such that outside users could access the SBS's website, SMTP server, etc. We now want to use our SBS to run a PPTP VPN. I've tried adding a static route to the PIX in the same way all the other services (web, smtp, etc.) were added, but for some reason it still doesn't work. Here is the current config WITHOUT any VPN pass-through setup:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.2 VPN-02
access-list services permit tcp any interface outside eq 6051
access-list services permit tcp any interface outside eq 6080
access-list services permit tcp any host 10.0.0.2 eq 3389
access-list services permit tcp any host 10.0.0.2 eq www
access-list services permit tcp any host 10.0.0.2 eq https
access-list services permit tcp any host 10.0.0.2 eq 444
access-list services permit tcp any host 10.0.0.2 eq 4125
access-list services permit tcp any host 10.0.0.2 eq smtp
access-list outside_access_in permit tcp any host 10.0.0.2
access-list outside_access_in permit gre any host 10.0.0.2
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm location VPN-02 255.255.255.255 inside
pdm location 192.168.0.1 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 VPN-02 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface smtp VPN-02 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https VPN-02 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 VPN-02 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 VPN-02 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6051 VPN-02 6051 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6080 VPN-02 6080 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp VPN-02 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 47 VPN-02 47 netmask 255.255.255.255 0 0
access-group services in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:a6b7fda2da59f5f80d95a5cd0a8a2df0
: end
[OK]

What commands do I need to run to enable PPTP VPN traffic to pass through the PIX and go to the SBS (at 192.168.0.2)?
 
Sort by date Sort by votes
I looked at that before and tried to adapt it for my network setup, but obviously failed as it still doesn't work. When I try to VPN in from an outside computer, the VPN client doesn't detect the server at all.

How should I adapt those commands to allow any computer on the outside interface to connect to the VPN server on 192.168.0.2 on the inside interface?
 
Upvote 0 Downvote
Sorry my bad - I didn't read it through.

You will need to map GRE through. You will need a dedicated IP for the static as the static command itself doesn't support GRE and PAT (GRE is an IP protocol, not a tcp port like 1723 is.) Be sure to modify the external ACL to reflect the changes.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
You'll have to forgive me, as I know next to nothing about the PIX.

How do I go about allowing GRE (IP 47) through the PIX to the server at 192.168.0.2?
 
Upvote 0 Downvote
You will need to use a dedicated IP for the outside facing address. You will need a second IP for the rest of the computers on the internal network to reach the internet through.

Delete all of these -
static (inside,outside) tcp interface 3389 VPN-02 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface smtp VPN-02 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https VPN-02 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 VPN-02 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 VPN-02 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6051 VPN-02 6051 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6080 VPN-02 6080 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp VPN-02 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 47 VPN-02 47 netmask 255.255.255.255 0 0

Adding this will replace all of them
static (inside,outside) ip 10.0.0.2 VPN-02 netmask 255.255.255.255 0 0

Add these to your ACL
access-list services permit gre any host 10.0.0.2
access-list services permit tcp any host 10.0.0.2 eq 1723

Delete this
global (outside) 1 interface
add
global (outside) 1 10.0.0.X
where X is your new IP for the internal networks internet access.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
584
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
206
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
722
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
160
WhosYourDiffie
WhosYourDiffie
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
140
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top