Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PPTP PAT behind Pix 6.3(4)

Status
Not open for further replies.
fruni

fruni

MIS
Sep 26, 2002
51
IN
Hi friends,
I have a problem with PPTP PAT. I have a lot of MS PPTP clients who connects outside through my PIX 520 box.As i have 3 ISPs i wanted to prioritize the traffic based on the applications that internal users use. I was success full in doing so except for the PPTP client connection.
(I have pptp fixup on 1723 enabled :) )
when i use
nat (inside) 1 xx.xx.xx.xx mm.mm.mm.mm
everything seems to work fine with pptp.

But if u use access list instead of directly giving the IP block i run into problems. say if i define :

access-list test line 1 permit ip host 10.250.100.19 any
and then do
nat (inside) 1 access-list test 0 0

this is not working.. i get caught at the authetication phase (verifying user name and password) for some time and no luck.
I tried to enable debug on pptp fixup and have found weird thing in the later scenario.
----------------------------------------
PPTP start-control-request: (inside:10.250.100.19/2222 -> outside:1.1.1.1/1723)
72: PPTP start-control-reply: (inside:10.250.100.19/2222 <- outside:1.1.1.1/1723)
73: PPTP outgoing-call-request: (inside:10.250.100.19/2222 -> outside:1.1.1.1/1723)
74: PPTP outgoing-call-reply: (inside:10.250.100.19/2222 <- outside:1.1.1.1/1723)
ERROR: fail to allocate GRE connections
tcpseq: rexmit packet seq=2633595847, snd_next=2633596015, window (2633595847-2633661226)
75: PPTP outgoing-call-request: (inside:10.250.100.19/2222 -> outside:1.1.1.1/1723)
tcpseq: rexmit packet seq=619139435, snd_next=619139467, window (619139435-619204814)
76: PPTP outgoing-call-reply: (inside:10.250.100.19/2222 <- outside:1.1.1.1/1723)
77: PPTP set-link-info: (inside:10.250.100.19/2222 -> outside:1.1.1.1/1723)
78: PPTP set-link-info: (inside:10.250.100.19/2222 -> outside:1.1.1.1/1723)
79: PPTP clear-request: (inside:10.250.100.19/2222 <- outside:1.1.1.1/1723)
80: PPTP disconnect-notify: (inside:10.250.100.19/2222 -> outside:1.1.1.1/1723)
81: requesting gre CID 49152 removal
82: PPTP unknown-message: (inside:10.250.100.19/2222 -> outside:1.1.1.1/1723)
83: PPTP unknown-message: (inside:10.250.100.19/2222 <- outside:1.1.1.1/1723)
--------------------------------------
You can see the ERROR generated telling cannot allocate GRE blah blah..
i would ideally like to have access list with 1723/protocol 47 combinely PATted with a particular ISP..

Any one come across such problem.. or having a clue on what the problem could be.. please help me..
The first thing i can think of it is as a possible BUG in the software.. :-(

I am really struck up guys..
please help...............................


Thanks & Regards
Manoj.T.K






 
Sort by date Sort by votes
Remember "clear xlate" after changing nat/global settings. Also i believe that fixup pptp gives you one, and only one concurrent PPTP session out when using PAT translation.


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
with out access-list i am able to do multiple session anyway.. but my problem is doing with access-list :( , i have done.. clear xlate also
 
Upvote 0 Downvote
Well, that makes sense, the acl test you created is used for Policy NAT'ing in your case which means only 10.250.100.19 is nat'ed to the corresponding global statement (global (outside) 1 ) You need to decide what nat'ing you want to do.

Doing : nat (inside) 1 xx.xx.xx.xx mm.mm.mm.mm
will nat everything to the address(es) defined in global 1
Doing : nat (inside) 1 access-list test
will nat 10.250.100.19 to global 1 when going anywhere



Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
Yeah , exacly i want to do policy NATing. Actually i want to NAT [serivce 1723/ protocol 47(gre)] selectively with a particular global IP which will send the traffic on to a high priority ISP. When i do a policy NAT, then i am getting errror with Tunnel initiation. I have already pasted above in the previous one the DEBUG info on the same :(
 
Upvote 0 Downvote
Well, as i said, your acl is wrong if more than one person is to be nat'ed with that specific address. You should add all ips on your inside that needs this access.



Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
Hi dopehead,
I have put that acl as a test case and even its not working for that single IP :( . I first tried with the whole network then at last converged to test this typycal host.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
raist3001
  • Locked
  • Question
Unable to remote into PBX behind Sonicwall TZ-190
Replies
1
Views
69
fojin
fojin
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
69
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
137
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
55
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top