Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Pass-through - 721 error

Status
Not open for further replies.
Dyehouse1

Dyehouse1

MIS
Sep 24, 2002
43
0
0
GB
I am trying to get the PIX to allow me to VPN pass-through to my RAS server on the inside interface. It gets as far as verifying username and password and then times out after about 30 seconds with a 721 not responding error.

I am guessing this is a GRE problem however I have experimented with letting it through on the outside interface but still the same result. Anyone got any ideas?

My settings are as follows:

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password aqUd5fpvTbYGCrNf encrypted
passwd xxx encrypted
hostname PIXfirewall
domain-name uk.pas.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list outside_access_in permit tcp any host 212.240.1xx.18 eq 1723
access-list outside_access_in permit tcp any host 212.240.1xx.19 eq 443
access-list outside_access_in permit tcp any host 212.240.1xx.18 eq pop3
access-list outside_access_in permit tcp any host 212.240.1xx.18 eq smtp
access-list outside_access_in permit tcp any host 212.240.1xx.18 eq 143
access-list outside_access_in permit tcp any host 212.240.1xx.20 eq www
access-list outside_access_in permit tcp any host 212.240.1xx.19 eq ftp
access-list outside_access_in permit tcp any host 212.240.1xx.22 eq www
access-list outside_access_in permit tcp any host 212.240.1xx.22 eq 98
access-list dmz_access_in permit tcp host 192.168.1.2 host 10.99.99.12 eq 1433
access-list dmz_access_in permit tcp host 192.168.1.2 eq smtp host 10.99.99.7 eq smtp
access-list dmz_access_in permit tcp host 192.168.1.4 eq smtp host 10.99.99.7 eq smtp
access-list dmz_access_in permit tcp host 192.168.1.5 eq smtp host 10.99.99.7 eq smtp
access-list inside_access_in permit ip any any
pager lines 24
logging monitor notifications
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 212.240.1xx.18 255.255.255.240
ip address inside 10.3.3.4 255.0.0.0
ip address dmz 192.168.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.250.250.250 255.255.255.255 inside
pdm location 10.250.250.251 255.255.255.255 inside
pdm location 10.99.99.7 255.255.255.255 inside
pdm location 10.99.99.3 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 dmz
pdm location 192.168.1.3 255.255.255.255 dmz
pdm location 192.168.1.5 255.255.255.255 dmz
pdm location 192.168.1.4 255.255.255.255 dmz
pdm location 10.99.99.12 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 1723 10.99.99.3 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.1xx.19 443 10.99.99.7 443 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.99.99.7 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 143 10.99.99.7 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.99.99.7 smtp netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1xx.20 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1xx.19 ftp 192.168.1.3 ftp netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1xx.22 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1xx.22 98 192.168.1.5 98 netmask 255.255.255.255 0 0
static (inside,dmz) 10.99.99.12 10.99.99.12 netmask 255.255.255.255 0 0
static (inside,dmz) 10.99.99.7 10.99.99.7 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 212.240.134.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:15:00 absolute uauth 0:05:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.250.250.250 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.250.250.250 /PIX
floodguard enable
no sysopt route dnat
telnet 10.250.250.250 255.255.255.255 inside
telnet 10.250.250.251 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:e0b2e3c7089706039107ee172189bdfe
: end
 
Sort by date Sort by votes
I have just been trawling through the forum (why is searching still off?) and I think I need to add an additional mapping to an external IP address that isnt being used for anything else so that GRE can get through. With this set I am presuming that all I have to do is point my external clients at the NEW external VPN server address and everything is working again?

I won't get to test till later so if someone can allay my fears and OK me on this one it would be great.
 
Upvote 0 Downvote
Open protocol 47 (GRE) on your ACL. Hope this helps!
 
Upvote 0 Downvote
HI.

> I think I need to add an additional mapping to an external IP address that isnt being used for anything else so that GRE can get through ...
Yes, that's the way to go.

You will need to remove conflicting "static tcp" statements.

static (inside,outside) 212.240.1xx.20 10.99.99.3
access-list outside_access_in permit tcp any host 212.240.1xx.20 eq 1723
access-list outside_access_in permit gre any host 212.240.1xx.20

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
correct me if I am wrong but I thought I would need those lines in order to let through the PPTP (1723) and the GRE on the same IP address to the RAS server. Internal 10.99.99.3 external 212.240.1XX.20 as stated in them lines?


If not what am I meant to do?
 
Upvote 0 Downvote
You stated in your previous answer that I should remove the following lines:

static (inside,outside) 212.240.1xx.20 10.99.99.3
access-list outside_access_in permit tcp any host 212.240.1xx.20 eq 1723
access-list outside_access_in permit gre any host 212.240.1xx.20


I thought that I would need these lines (well at least a couple) as I need to forward the GRE and the PPTP (1723) to the correct addresses. If I am to use 212.240.1XX.20 as my VPN address externally then surely I need to setup the static to route to my internal VPN address as follows:

static (inside,outside) 212.240.1xx.20 10.99.99.3

212.240.1XX.20 being the external and 10.99.99.3 being the internal VPN. Then I will need to forward the PPTP protocol using:

access-list outside_access_in permit tcp any host 212.240.1xx.20 eq 1723

then finally allow the GRE to the same address as well:

access-list outside_access_in permit gre any host 212.240.1xx.20

These make up the 3 lines you state that I will have to remove. What lines should I use to allow the mapping and the 2 rules for forwarding the appropriate PPTP and GRE packets?

Many thanks
 
Upvote 0 Downvote
HI.

> You stated in your previous answer that I should remove the following lines
No, you got me wrong.
I ment that:
1) You will need to remove some conflicting static statements.
2) You will need to add something like the following ...

Here is a rephrased version of my previous answer from Jan 24:

You will need to remove conflicting "static tcp" statements from your configuration,

and then choose an unused registered ip address (I will use now 212.240.1xx.29 unlike the previous post) and map it to the internal VPN server:

static (inside,outside) 212.240.1xx.29 10.99.99.3
access-list outside_access_in permit tcp any host 212.240.1xx.29 eq 1723
access-list outside_access_in permit gre any host 212.240.1xx.29

The VPN clients will then connect to 212.240.1xx.29

It's only a small syntax which makes the difference, I used a period, and you have read it as a colon...
Sorry that I confused you.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
148
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
71
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
173
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
49
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top