setting a GRE

[Factor42]

Please help.
I have a tiny VPN server inside my firewall which requires access for VPN authentication from the outside (internet).
I know this is quite a mad thing to do considering my 515 has a VPN facility on it but I am following orders

I have managed to set the incoming TCP port of 1723 in an inbound access-list but I don't know how to set a GRE for port 47.

Can someone help me? Using v6.2 Thanks.

 

[tbissett]

GRE is a protocol, not a port, so just specify the protocol number in the permit statement like this:

access-list inbound permit 47 any host xxx.xxx.xxx.xxx

I believe you can also use "gre" instead of "47", but I'm not positive.

 

[kfriend]

I'm seeing no gre in the list


bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323, hostname, http, ident, irc, klogin, kshell, lpd, nntp, pop2, pop3, pptp, rpc, smtp, sqlnet, sunrpc, tacacs, talk, telnet, time, uucp, whois, and www.


--------------------------------------------------------------------------------
Note PIX Firewall uses port 1521 for SQL*Net. This is the default port used by Oracle for SQL*Net; however, this value does not agree with IANA port assignments.

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Note PIX Firewall listens for RADIUS on ports 1645 and 1646. If your RADIUS server uses ports 1812 and 1813, you will need to reconfigure it to listen on ports 1645 and 1646.

--------------------------------------------------------------------------------

Permitted UDP literal names are biff, bootpc, bootps, discard, dnsix, echo, mobile-ip, nameserver, netbios-dgm, netbios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs, talk, tftp, time, who, and xdmcp.

 

[msikes]

Try typing this

conduit permit gre any any

just to see if it will accept gre...

 

[gbiello]

Try something like this for an access-list:
access-list fromout permit tcp any host 1.2.3.4 eq 1723
access-list fromout permit gre any host 1.2.3.4

Port 1723 is for PPTP

hope this helps,
-gbiello

 

[Factor42]

Hello again!

Well, this is getting interesting as I have read conflicting csco docs that denote use of the "gre" statement within an access-list command.

Your statement, tbissit, of using just the following;

access-list inbound permit 47 any host xxx.xxx.xxx.xxx

... did work! but unfortunately it hangs on "Verifying username and password" for the client connecting in on the internet. Am I missing something?

Thanks again in advance you guys!

 

[N0ktar]

Inbound access-list needs to include:
access-list 100 permit gre any host 204.198.x.x
access-list 100 permit tcp any host 204.198.x.x eq 1723

Outbound access-list needs to include:
access-list inside permit tcp host 192.168.1.10 any eq 1723
access-list inside permit gre host 192.168.1.10 any

NAT enabled, server static mapping:
204.198.x.x -> 192.168.1.10

 

[Factor42]

Hmmm, well I have given that a go, thanks NOktar for your tip, however it's still hanging on "Verifying Username and Password".
Can't think what I could be missing.
Here's my (very basic I know!) config file ...

PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password DH8y86c6Qv/f63q7 encrypted
passwd DH8y86c6Qv/f63q7 encrypted
hostname pix515
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
object-group protocol vpnuseonly
protocol-object gre
access-list inbound permit tcp any host 62.49.XXX.XXX eq smtp
access-list inbound permit tcp any host 62.49.XXX.XXX eq 4899
access-list inbound permit tcp any host 62.49.XXX.XXX eq 3389
access-list inbound permit tcp any host 62.49.XXX.XXX eq www
access-list inbound permit tcp any host 62.49.XXX.XXX eq 1723
access-list inbound permit gre any host 62.49.XXX.XXX
access-list inside permit icmp any any echo-reply
access-list inside permit tcp host 192.168.1.2 any eq 1723
access-list inside permit gre host 192.168.1.2 any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 62.49.XXX.XXX 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 62.49.32.156
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
static (inside,outside) tcp 62.49.XXX.XXX smtp 192.168.1.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 62.49.XXX.XXX 4899 192.168.1.1 4899 netmask 255.255.255.255 0 0
static (inside,outside) tcp 62.49.XXX.XXX 3389 192.168.1.1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 62.49.XXX.XXX

http://www 192.168.1.1

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp 62.49.XXX.XXX 1723 192.168.1.2 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp 62.49.XXX.XXX 47 192.168.1.2 47 netmask 255.255.255.255 0 0
access-group inbound in interface outside
conduit permit tcp host 62.49.XXX.XXX eq smtp any
route outside 0.0.0.0 0.0.0.0 62.49.XXX.XXX 1
route inside 192.168.2.0 255.255.255.0 192.168.1.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:8462006e15eb4addead2c21941f1023c
: end
[OK]
-----------------------


So what could it possibly be?? I've configured Firewall for this facility before but not a Cisco Pix. I thought I had everyithing in place?
Thanks again in advance!

 

[N0ktar]

You need to bind "access-list inside" to the low security interface. Just add:
access-group inside in int inside

 

[yizhar]

HI.

> static (inside,outside) tcp 62.49.XXX.XXX 1723 192.168.1.2 1723 netmask 255.255.255.255 0 0

This can't work, because you also need to staticly map the GRE protocol, not only TCP port 1723.
This cannot be done with port mapping (static tcp), so you will need to use a dedicated IP address mapping for the VPN server.

static (inside,outside) x.x.x.x 192.168.1.2


> conduit permit tcp host 62.49.XXX.XXX eq smtp any
It is not recommended to use both access-list and conduit commands.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar