Advertisement

12.22.2004 at 10:46AM PST, ID: 21251539
[x]
Attachment Details

Cisco PIX configuration to allow MS VPN client pass-through

Asked by Woodie_Weiss in Virtual Private Networking (VPN)

Tags: pix, vpn, cisco, through, allow

I need to allow clients on the inside to access Microsoft servers on the outside and browsed through EE looking for help. I upgraded our 515 to 6.3(3), added "fixup protocol pptp 1723", but I'm still missing something. Any ideas? Thanks very much, Woodie

My config:

:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ff10/.rJjFWFbUUX encrypted
passwd ff10/.rJjFWFbUUX encrypted
hostname WorldWide-PIX
domain-name worldwidewines.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 207.55.146.54 NTP-2
name 128.10.252.10 NTP-1
name 204.60.67.0 SMC-HARTFORD
name 172.25.70.6 MAIL-SERVER
name 172.25.70.5 ALPHA-WEB
name 64.252.0.0 SBC-DSL
name 69.0.0.0 SBC-DSL-2
access-list outside_access_in permit tcp any host 204.60.95.138 eq www
access-list outside_access_in permit tcp any host 204.60.95.138 eq ftp
access-list outside_access_in permit tcp any host 204.60.95.139 eq smtp
access-list outside_access_in permit icmp any host 204.60.95.138
access-list outside_access_in permit icmp any host 204.60.95.139
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any host 204.60.95.139 eq www
access-list intf2_access_in permit icmp host ALPHA-WEB any
access-list intf2_access_in permit icmp host MAIL-SERVER any
access-list intf2_access_in permit udp host ALPHA-WEB any eq domain
access-list intf2_access_in permit udp host MAIL-SERVER any eq domain
access-list intf2_access_in permit udp host MAIL-SERVER any eq ntp
access-list intf2_access_in permit udp host ALPHA-WEB any eq ntp
access-list intf2_access_in permit tcp host ALPHA-WEB any eq ftp
access-list intf2_access_in permit tcp host ALPHA-WEB any eq www
access-list intf2_access_in permit tcp host MAIL-SERVER any eq www
access-list intf2_access_in permit tcp host MAIL-SERVER any eq smtp
access-list intf2_access_in permit tcp any any eq https
access-list intf2_access_in permit tcp host MAIL-SERVER any eq ftp
access-list VPN permit ip 10.0.0.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list DMZ permit ip 172.25.70.0 255.255.255.0 192.168.11.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 204.60.95.142 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip address intf2 172.25.70.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool WWWpool 192.168.11.1-192.168.11.254
pdm location ALPHA-WEB 255.255.255.255 intf2
pdm location MAIL-SERVER 255.255.255.255 intf2
pdm location SBC-DSL 255.255.0.0 outside
pdm location SMC-HARTFORD 255.255.255.0 outside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location ALPHA-WEB 255.255.255.255 inside
pdm location MAIL-SERVER 255.255.255.255 inside
pdm location NTP-1 255.255.255.255 outside
pdm location NTP-2 255.255.255.255 outside
pdm location SBC-DSL-2 255.0.0.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 0 access-list DMZ
static (intf2,outside) 204.60.95.139 MAIL-SERVER netmask 255.255.255.255 0 0
static (intf2,outside) 204.60.95.138 ALPHA-WEB netmask 255.255.255.255 0 0
static (inside,intf2) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group intf2_access_in in interface intf2
route outside 0.0.0.0 0.0.0.0 204.60.95.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server NTP-2 source outside
ntp server NTP-1 source outside
http server enable
http SBC-DSL 255.255.0.0 outside
http SMC-HARTFORD 255.255.255.0 outside
http SBC-DSL-2 255.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set WWWset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set WWWset
crypto map WWWmap 10 ipsec-isakmp dynamic dynmap
crypto map WWWmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
vpngroup ******* address-pool WWWpool
vpngroup ******* dns-server 204.60.0.2 204.60.0.3
vpngroup ******* idle-time 1800
vpngroup ******* password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet 172.25.70.0 255.255.255.0 intf2
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
banner exec                         W A R N I N G !
banner exec You must be authorized to access this network and equipment.
banner exec Unauthorized use of these systems, networks, equipment and unauthori
zed
banner exec access to computerized data are prohibited by law.
Cryptochecksum:4ab1b1cdb61aa3d07e709a05ddcffb82
: end
Start Free Trial
 
Keywords: Cisco PIX configuration to allow MS VP…
Title
1 pix VPN
2 Pix to Pix VPN
3 PIX AND ISA IPSEC VPN
4 Remote access to a Pix from a Pix prot…
5 How to configure PIX 515E for VPN …
6 VPN Concentrator behind a PIX
 
Loading Advertisement...
 
[+][-]12.22.2004 at 11:33AM PST, ID: 12886911

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]12.22.2004 at 12:01PM PST, ID: 12887109

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12.22.2004 at 12:04PM PST, ID: 12887141

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]12.22.2004 at 12:25PM PST, ID: 12887289

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12.22.2004 at 04:24PM PST, ID: 12888929

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: Virtual Private Networking (VPN)
Tags: pix, vpn, cisco, through, allow
Sign Up Now!
Solution Provided By: lrmoore
Participating Experts: 1
Solution Grade: A
 
 
[+][-]12.23.2004 at 07:07AM PST, ID: 12892773

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12.23.2004 at 07:22AM PST, ID: 12892898

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32