VPN Passthrough to Win2K RRAS

[bhansen32]

I'm trying to configure a PIX 506 for VPN passthrough to a Windows 2000 server running RRAS. I have attached a copy of the config on my pix as so far. I also have multiple VPN's setup between other remote sites that all work without any problem. I want to have the ability to VPN into my network when i'm away from the office. Any suggestions would be highly appreciated.

Thank You in advance

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol http 80
names
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list fwinout permit tcp any host 63.xxx.xxx.82 eq smtp
access-list fwinout permit tcp any host 63.xxx.xxx.82 eq https
access-list fwinout permit tcp any host 63.xxx.xxx.82 eq 3389
access-list fwinout permit icmp any any echo-reply
access-list fwinout permit icmp any any time-exceeded
access-list fwinout permit icmp any any unreachable
access-list vpnin permit gre any host 63.xxx.xxx.83
access-list vpnin permit tcp any host 63.xxx.xxx.83 eq 1723
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_60 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_80 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 63.xxx.xxx.81 255.255.xxx.xxx
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 63.xxx.xxx.82 smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) 63.xxx.xxx.83 192.168.0.1 netmask 255.255.255.255 0 0
access-group fwinout in interface outside
access-group vpnin in int outside
route outside 0.0.0.0 0.0.0.0 63.xxx.xxx.86 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer xxx.xxx.xxx.xxx
crypto map outside_map 40 set transform-set ESP-DES-SHA
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer xxx.xxx.xxx.xxx
crypto map outside_map 60 set transform-set ESP-DES-SHA
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer xxx.xxx.xxx.xxx
crypto map outside_map 80 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ****** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ****** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ****** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ****** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80

 

[haknwak]

bhansen32 we wnet through this very circumstance. It can be done but you need to open multiple ports to your win2K box. We decided to NOT run the win2K vpn through the PIX. We locked that machine down as tight as possible, disabbled ICMP, and run it live on the 'net.

Stupid maybe but I seem to remember you had to open up a rediculous number of ports in the PIX.

 

[haknwak]

from

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag00/html/VPN.asp

"Figure 3 shows the wizard dialog box in which you choose a protocol. Microsoft included two VPN protocols with Win2K Server: PPTP and Layer 2 Tunneling Protocol (L2TP). Microsoft developed PPTP, which Internet Engineering Task Force (IETF) Request for Comments (RFC) 2637 defines, and released it with NT 4.0 in 1996. PPTP uses TCP port 1723 and IP protocol 47 (Generic Routing Encapsulation—GRE). At about the same time, Cisco Systems developed the Layer 2 Forwarding (L2F) VPN protocol for use on its devices. Eventually, Microsoft and Cisco combined their respective protocols to form L2TP (RFC 2661), which uses UDP ports 500 and 1701. I prefer L2TP to PPTP because the former relies on IP Security (IPSec) for its encryption routines instead of Microsoft Point-to-Point Encryption (MPPE). However, according to Microsoft's online Help files, PPTP is a bit easier to set up, so in this example, let's use PPTP."

And here is a tek-tips thread on the subject

http://www.tek-tips.com/viewthread.cfm?spid=463&newpid=463&sqid=283636

 

[haknwak]

"There is currently no Microsoft provided virtual private network (VPN) client that works with Cisco PIX Firewall. Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows NT 4.0 and Windows 2000 PPTP should work if your Cisco PIX PPTP implementation supports user ID/password user authentication. Cisco's PIX PPTP is not expected to include Extensible Authentication Protocol, so certificate-based user authentication by using a smart card is not supported. Because L2TP is not currently supported by Cisco PIX, L2TP/IPSec in Windows 2000 does not work as a remote access client to the PIX.

The following excerpt is from Cisco's Web site:
Cisco VPN Client
Cisco will license technology from third-party supplier, Information Resource Engineering (NASDAQ/NM: IREG), to deliver a VPN client to customers.

For updated information, please check the following Cisco Web site:

http://www.cisco.com/warp/public/146/pressroom/1999/may99/1.html

This from Microsoft 10 2002 at

http://support.microsoft.com/?kbid=249576

 

[bhansen32]

I found even a better solution to this issue which is just setting up a VPN to the PIX using the PDM VPN wizard. This creates a Micrososft based client VPN and works great.

 

[haknwak]

bhansen32 - please share your info source?? Any web site info? Care to share the resulting VPN config? Also scuse my ignorance - being strictly a command line guy - what is the PDM VPN wizard? "If you lived here, you'd be home by now!"

George Carlin