Please...Answer this one !

[Slingky]

I want PPTP pass through my pix firewall 501.

Only have one external IP address.

outside ip x.197.166.66
inside ip 192.168.1.4

windows 2000 vpn server ip 192.168.1.1

i already had some ports opened and forwarded to 192.168.1.1

but now i want vpn access from anywhere in the world to the vpn server.

i added theses lines:

access-list outside_access_in permit tcp any host x.197.166.66 eq 1723

static (inside,outside) tcp interface 1723 192.168.1.1 1723 netmask 255.255.255.255 0 0


and i know it's ok cause i can connect to port 1723 via telnet.

but now i need gre routing, so i added:

access-list outside_access_in permit gre any host x.197.166.66

then

static (inside,outside) x.197.166.66 192.168.1.1 netmask 255.255.255.255 0 0


but when i add the last line, pptp works but nat stops functionning...
nobody is able to access internet anymore except the server at 192.168.1.1

i understand this is a one2one translation but whats next:
i think i have this 2 solutions, am i right ?
(cause i have pix 6.2)

1. order a second ip address from my isp and put it in the pix config then do the static mapping on this new address.

2. upgrade to pix 6.3


But problem with solution 2 is i don't want to pay to register cisco.com and get the upgrade so if somebody could help me get the 6.3 software...he/she will be welcome.

For solution 1, could you just give me the config lines to add to router to add the second ip address so i will be able to make the static mapping after that.


Thanks for reading and answering this post.

 

[themut]

You are right about your options...
For noumber one:

static (inside,outside) <new-ip> 192.168.1.1 netmask 255.255.255.255
access-list outside_access_in permit tcp any host <new-ip> eq 1723
access-list outside_access_in permit gre any host <new-ip>


For the second option... sorry but I cann't help you, if it was up to me I would buy a smartnet.

 

[Slingky]

thanks themut !

thanks for the code...but i mean i want the code to add the new ip to the outside config...
please may somebody give that code...

btw, how much for a smartnet account?

 

[themut]

I am not sure how much but it shouldn't be more than $100 for a 501.

 

[Slingky]

if i get pix 6.3 and upgrade...

will the pix lose the config and i will have to reenter it?

 

[themut]

Nope you shouldn't loose your configuration, but it is a smart idea to back it up just in case something goes wrong.

 

[Slingky]

ok, 2 more things:

1. how do i backup the config?
(is it just by doing a copy-paste in from the terminal window to a text file? if not, how to backup and restore config files ?)

2. i currently access a windows server from outside by terminal services cause i forwarded port 3389 on the firewall...i want to know if it's possible to upgrade the os to 6.3 by telnet ?