Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

W2K Client using VPN through Pix 515 Blocked

Status
Not open for further replies.
MatthewJones

MatthewJones

Technical User
Sep 15, 2002
5
US
I am trying to configure a W2K client to access a W2k VPN Server and require a VPN connection.
The Pix 515 is blocking the connection with the following syslog message.

106010: Deny inbound protocol 47 src outside 129.41.58.130 dst inside 151.204.48.100

I could really use some help on this one as I'm real new to Firewalls and need an answer to this ASAP.

Ideally - I'd like for any client inside to be able to use Win2K VPN to the outside address of 129.41.58.130.

The Pix Firewall currently has 2 connections - Inside / Outside. That's it. I can either set up a W2k VPN Server inside or on the DMZ or do it on a client by client configuration. The boss wants 1 global connection - I'll take whatever is easiest for now.

I'm supposed to be in class all next week but will get pushed out if I can resolve this between now and Monday morning!

Thanks in advance.

Matthew Jones
matthewjones@comcast.net
 
Sort by date Sort by votes
Sorry - Here's my current Pix Config..

Any help you can offer is appreciated.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security40
hostname dotpix1
domain-name dioceseoftrenton.org
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
logging on
logging timestamp
logging console warnings
logging monitor warnings
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 151.204.xxx.xxx 255.255.255.xxx
ip address inside 192.168.1.30 255.255.255.0
ip address DMZ 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.0.1-192.168.0.25
pdm location 192.168.1.20 255.255.255.255 inside
pdm location 192.168.1.27 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 151.204.xxx.xxx
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 151.204.xxx.xxx 192.168.1.27 netmask 255.255.255.255
static (inside,outside) 151.204.xxx.xxx 192.168.1.20 netmask 255.255.255.255 0
static (inside,outside) 151.204.xxx.xxx 192.168.1.35 netmask 255.255.255.255
conduit permit icmp any any
conduit permit tcp host 151.204.xxx.xxx eq citrix-ica any
conduit permit udp host 151.204.xxx.xxx eq 1604 any
conduit permit udp host 151.204.xxx.xxx eq 1494 any
conduit permit tcp host 151.204.xxx.xxx eq 1604 any
conduit permit tcp host 151.204.xxx.xxx eq smtp any
conduit permit tcp host 151.204.xxx.xxx eq route outside 0.0.0.0 0.0.0.0 151.204.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:0
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.82 .
floodguard enable
no sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
privilege 15
terminal width 80
Cryptochecksum:e6e514ecf75f7b8c56b91540e0732fd5
 
Upvote 0 Downvote
You need to add a conduit line to permit protocol gre (number 47) from whomever needs it (or any) to the VPN machine on the inside.

Maybe like this:

conduit permit gre host 151.204.48.100 any

That would allow anyone to at least make the connection to the VPN machine.

Hope this helps.

Dan
 
Upvote 0 Downvote
HI.

I understand that the PPTP server is on the outside and W2K client on the inside, right?

>> global (outside) 1 151.204.xxx.xxx
You're using PAT - as far as I know it won't work with the pix. You will need to give each internal PPTP client a dedicate IP address using STATIC (similar to the command used for publishing internal servers).
To support many internal PPTP clients, you can setup a PPTP proxy (i.e. a W2K server with RRAS acting as PPTP gateway),
instead of giving each internal client a static ip mapping.

You should also allow incoming GRE traffic from the external VPN server:

conduit permit gre any host 129.41.58.130

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
297
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
365
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
84
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top