PIX PPTP Windows 2K VPN HELP? 1

jxv110 · Oct 22, 2001

For some reason I am unable to properly configure our PIX to allow outside windows 2000 vpn clients to pass through the PIX successfully registering with a Windows 2000 VPN server that is behind the PIX. From what I can tell, most of the configuration is correct as PPTP packets are passed through the firewall but the user is never authenticated.

My current PIX conf is posted below.

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname phoenix
domain-name impli.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 63.203.233.34 higherorder.com
name 199.174.85.19 ra0014
name 199.174.84.243 ra0196
name 199.174.84.251 ra0131
name 199.174.85.2 ra0120
name 4.35.15.19 ra0292
name 64.168.145.46 test46
name 64.168.145.42 test42
access-list 46 permit ip 10.5.1.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list 46 permit ip 10.5.1.0 255.255.255.0 host test46
access-list ra0014 permit ip 10.5.1.0 255.255.255.0 10.16.14.0 255.255.255.0
access-list ra0014 permit ip 10.5.1.0 255.255.255.0 host ra0014
access-list 10 permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list 42 permit ip 10.5.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 42 permit ip 10.5.1.0 255.255.255.0 host test42
access-list ra0196 permit ip 10.5.1.0 255.255.255.0 10.16.196.0 255.255.255.0
access-list ra0196 permit ip 10.5.1.0 255.255.255.0 host ra0196
access-list ra0131 permit ip 10.5.1.0 255.255.255.0 10.16.131.0 255.255.255.0
access-list ra0131 permit ip 10.5.1.0 255.255.255.0 host ra0131
access-list ra0120 permit ip 10.5.1.0 255.255.255.0 10.16.120.0 255.255.255.0
access-list ra0120 permit ip 10.5.1.0 255.255.255.0 host ra0120
access-list ra0292 permit ip 10.5.1.0 255.255.255.0 10.17.36.0 255.255.255.0
access-list ra0292 permit ip 10.5.1.0 255.255.255.0 host ra0292
access-list 101 permit tcp any host 165.121.98.214 eq 1723
access-list 101 permit gre any host 165.121.98.214
pager lines 24
logging on
logging buffered debugging
logging history debugging
logging queue 1024
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 165.121.98.214 255.255.255.0
ip address inside 10.5.1.3 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
pdm location 10.5.1.81 255.255.255.255 inside
pdm location 10.5.0.0 255.255.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 10
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 165.121.98.214 1723 10.5.1.210 1723 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 165.121.98.214 eq 1723 any
conduit permit gre host 165.121.98.214 any
route outside 0.0.0.0 0.0.0.0 165.121.98.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http 10.5.1.81 255.255.255.255 inside
http 10.5.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map rtpmap 10 ipsec-isakmp
crypto map rtpmap 10 match address 42
crypto map rtpmap 10 set peer test42
crypto map rtpmap 10 set transform-set myset
crypto map rtpmap 11 ipsec-isakmp
crypto map rtpmap 11 match address 46
crypto map rtpmap 11 set peer test46
crypto map rtpmap 11 set transform-set myset
crypto map rtpmap 1014 ipsec-isakmp
crypto map rtpmap 1014 match address ra0014
crypto map rtpmap 1014 set peer ra0014
crypto map rtpmap 1014 set transform-set myset
crypto map rtpmap 1120 ipsec-isakmp
crypto map rtpmap 1120 match address ra0120
crypto map rtpmap 1120 set peer ra0120
crypto map rtpmap 1120 set transform-set myset
crypto map rtpmap 1131 ipsec-isakmp
crypto map rtpmap 1131 match address ra0131
crypto map rtpmap 1131 set peer ra0131
crypto map rtpmap 1131 set transform-set myset
crypto map rtpmap 1196 ipsec-isakmp
crypto map rtpmap 1196 match address ra0196
crypto map rtpmap 1196 set peer ra0196
crypto map rtpmap 1196 set transform-set myset
crypto map rtpmap 1292 ipsec-isakmp
crypto map rtpmap 1292 match address ra0292
crypto map rtpmap 1292 set peer ra0292
crypto map rtpmap 1292 set transform-set myset
crypto map rtpmap interface outside
isakmp enable outside
isakmp key ******** address test46 netmask 255.255.255.255
isakmp key ******** address test42 netmask 255.255.255.255
isakmp key ******** address ra0014 netmask 255.255.255.255
isakmp key ******** address ra0196 netmask 255.255.255.255
isakmp key ******** address ra0131 netmask 255.255.255.255
isakmp key ******** address ra0120 netmask 255.255.255.255
isakmp key ******** address ra0292 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
telnet 10.5.0.0 255.255.0.0 inside
telnet timeout 50
ssh timeout 5
terminal width 80
Cryptochecksum:0d10141234f20e7d74a9ddc47f6eb5a8
: end
[OK]

yizhar · Oct 23, 2001

HI.

There are some strange things in your config:

* The STATIC line
static (inside,outside) tcp 165.121.98.214 1723 10.5.1.210 1723 netmask 255.255.255.255 0 0

Will map port 1723 only. But what about GRE protocol?
It will be mapped to the PIX outside interface itself, instead of your internal VPN server!

You will need more IP addresses, and use normal STATIC mapping of a "full" IP address and not only a single port.

* There is no ACL on the outside interface for incoming PPTP traffic.

This sample partial config should work FMHO (IP addresses are fictions, 10.0.0.1 is internal VPN server):

ip address outside 111.111.111.111 255.255.255.0
ip address inside 10.0.0.254 255.255.255.0
static (inside,outside) 111.111.111.112 10.0.0.1
access-list 100 permit tcp any host 111.111.111.112 eq 1723
access-list 100 permit gre any host 111.111.111.112
access-list 100 permit icmp any host 111.111.111.112
access-group 100 in interface outside

* Since you have a PIX, and PIX can be a PPTP server, why not terminate the VPN at the PIX interface - there are samples for this in CISCO web site.
Or use IPSec VPNs?

There are more questions rising from your config, but i'll focus in the PPTP question.

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

PIX PPTP Windows 2K VPN HELP? 1

jxv110

IS-IT--Management

yizhar

MIS

Similar threads

Part and Inventory Search

Sponsor