VPN server behind PIX!

[JackyZhang]

Miscrosot Windows 2000 Server behind PIX, and w2k work as VPN server, remote user try to connect to this w2k VPN server with Microsoft VPN client. when the message disaply "veryfing useranmea and password" and then wait there for a while then giv error message.


I config PIX501 as following for VPN server behind PIX:


access-list forvpn permit tcp any host IP_of_outside_Nic_ of_PIX eq 1723
access-list forvpn permit gre any host IP_of_outside_Nic_ of_PIX
static (inside,outside) tcp IP_of_outside_Nic_ of_PIX 1723 IP_VPN 1723
access-group forvpn in interface outside




MCSE, MCP+Internet, CNE

 

[yizhar]

HI.

This cannot work because the pix will not forward GRE traffic to the VPN server (no static for it).

For this you need to use a different dedicated registered ip address that will be mapped (static) to the VPN server as a normal static and not only specific port - do not use "static tcp" for this.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[JackyZhang]

do we need setup rip in pix


MCSE, MCP+Internet, CNE

 

[yizhar]

HI.

No you do not need RIP, RIP is optional.

I did not use RIP in any of the pix that I have installed, only static routes, but it depends on your network.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[JackyZhang]

So far, we have already setup VPN function of PIX501, that means PIX501 itself working as VPN server, and end users can connect to PIX501 with CISCO VPN Client, so can access internal network.
Somehow, in one pc, we installed CISCO VPN Client, and tested it, everything works fine, and no problem, but after we ship it to remote site, it cannot connect to PIX through VPN client, we already test everything we kown, even we call cisco, still cannot solve problem, that is why we think about MS VPN server for this remote site for temporery, so we will keep PIX501 as VPN server as well, at same time, we want to setup MS VPN server behind it, so we can access private network either ways.

Problem is when I try to do following things:

access-list forvpn permit tcp any host IP_of_outside_Nic_ of_PIX eq 1723
access-list forvpn permit gre any host IP_of_outside_Nic_ of_PIX
static (inside,outside) IP_of_outside_Nic_ of_PIX IP_VPN
access-group forvpn in interface outside

PIX501 VPN doesn't work, and when we take away "static", it works. I haven't test if the MS VPN works or not, because this is holiday, I will go back office to test it.


MCSE, MCP+Internet, CNE

 

[yizhar]

HI.

You need a different ip address.

You can not use static of the pix own outside interface fot that purpose.

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[JackyZhang]

Connection like following:

Internet ---- CISCO 827 Router ---PIX501--Swithch--...

IP range: x.x.x.192-199 netmask 255.255.255.248
IP of PIX501: x.x.x.198
IP of CISCO 827: x.x.x.193

If I setup differnet IP address for MS VPN Server behind firewall, say x.x.x.197, how does CISCO827 know route x.x.x.197 to PIX501(x.x.x.198)??

CISCO827 belongs to our ISP, they don't allow us to get in it and setup static route in it.


MCSE, MCP+Internet, CNE

 

[yizhar]

HI.

> IP range: x.x.x.192-199 netmask 255.255.255.248
This probably means that the router and other ISP routers along the path are configured to forward traffic to these addresses to your network (actualy the router will ARP for these adresses).
Once you configure a STATIC at the pix, the pix will do proxy-arp (answer ARP request) fot that address and so will receive traffic for it from and to the 827 router.

Just don't use the 192 and 199 addresses, as these are the netword and broadcast addresses of your subnet. 197 should be fine unless the pix uses it for something else.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[JackyZhang]

Thank Yizhar!
It seems to work. I still have lots of things need test.


MCSE, MCP+Internet, CNE