Solved

Pix Firewall PPTP VPN issue

Posted on 2002-06-13
10
376 Views
Last Modified: 2008-03-17
my configuration is
internet-->netopia router-->cisco pix firewall-->client computers

i am trying to establish a vpn connection where the client computers are on the inside of the firewall and the server is outside, offsite. i can open the vpn tunnel fine, but when i enable the gre for the IP of the vpn client computer, all our sites we host here, and our mail server (which is also hosted on the inside of the firewall) no longer function. in other words, they are not accessable to anything outside the firewall.
0
Comment
Question by:erostosthenes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 17

Expert Comment

by:mikecr
ID: 7077969
Okay, can you give a little more in depth information. Please explain your current network setup. Your setting up a GRE tunnel on a Cisco pix to a client site and whenever you bring it up you lose connectivity to servers behind the firewall, correct? This could either be a routing issue or a firewall configuration issue. If your bringing up a gre tunnel and assigning it an IP, you will evidently be routing thru this tunnel. You may want to configure the Pix so that it only allows traffic from one machine to get thru the tunnel and test it from there. Check your route tables to make sure that nothing is attempting to use the tunnel when it is brought up. If your using any dynamic protocols like eigrp or ospf, make sure that you exempt that interface from the routing table while your testing.
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 75 total points
ID: 7078236
GRE typically requires a one-to-one NAT - no PAT involved.  If you are hosting all of those services by using PAT to redirect ports off of a single IP address and then you NAT that address directly to one single inside IP for the purpose of GRE, you will kill all the PAT statements.  Do you only have one outside (public) address or is there a block of addresses that you can use?
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7078448
I think Scraig84 has hit it on the head, it does sound like you are doing PAT and the PIX definitely requires a one to one NAT per client machine for GRE.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 79

Expert Comment

by:lrmoore
ID: 7078463
I second geroffyn's motion that scraig84 hit the nail on the head.
0
 

Author Comment

by:erostosthenes
ID: 7079044
actually we are using both. there is a list of IPs for use on NAT, and in the case of overflow, there is one PAT IP. i sort of get the idea that using the access-list command to enable the gre turns off the access group, but i don't know enough about Pix firewall rules to be sure, nor do i know an alternative if that is the case.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7079076
You cannot PAT GRE.  As long as you are using static one-to-one nat for GRE per clietn, and the NATed address is not part of another NAT pool, this will work.  Here is an example of the NAT and ACL from a functioning PIX v 6.1.

(assuming no outbound ACL)


name 10.0..0.56 PPTP-HOST

access-list outside_access_in permit gre any host 12.12.12.204
access-list outside_access_in permit tcp any host 12.12.12.204 eq 1723

static (intf3,outside) 12.12.12.204 PPTP-HOST netmask 255.255.255.255 0 0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7079081
Still the same issue. As long as there is a free address in the NAT pool, a user may be able to make a connection. Once they are used up and the PAT overload takes effect, no more users can make a PPTP connection.

Can you post an example of your access-list when you attempt to enable gre? Are you applying it inbound or outbound, and to which interface?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7201869
Have any of these comments been of any help to you? Do you need more information?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7333498
It appears that you have forgotten this question. I will ask Community Support to

force close it unless you finalize it within 7 days.

** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER **

Please take a moment to revisit this question & reward your points or post additional

commentary as appropriate.  Unless there is objection or further activity.

EXPERTS, please feel free to make a recommendation for points award.

If you feel that your question was not properly addressed, or that none of the

comments received were appropriate answers, please post a request in Community support

(with a link to this page) to refund your points.  The link to the Community Support

area is: http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt

** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER **
--------------------------------------------------------------------------------------

----------
0
 
LVL 5

Expert Comment

by:Netminder
ID: 7712697
Question abandoned; force-accepted.

Netminder
EE Admin
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month5 days, 15 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question