Solved

Pix Firewall PPTP VPN issue

Posted on 2002-06-13
10
370 Views
Last Modified: 2008-03-17
my configuration is
internet-->netopia router-->cisco pix firewall-->client computers

i am trying to establish a vpn connection where the client computers are on the inside of the firewall and the server is outside, offsite. i can open the vpn tunnel fine, but when i enable the gre for the IP of the vpn client computer, all our sites we host here, and our mail server (which is also hosted on the inside of the firewall) no longer function. in other words, they are not accessable to anything outside the firewall.
0
Comment
Question by:erostosthenes
10 Comments
 
LVL 17

Expert Comment

by:mikecr
ID: 7077969
Okay, can you give a little more in depth information. Please explain your current network setup. Your setting up a GRE tunnel on a Cisco pix to a client site and whenever you bring it up you lose connectivity to servers behind the firewall, correct? This could either be a routing issue or a firewall configuration issue. If your bringing up a gre tunnel and assigning it an IP, you will evidently be routing thru this tunnel. You may want to configure the Pix so that it only allows traffic from one machine to get thru the tunnel and test it from there. Check your route tables to make sure that nothing is attempting to use the tunnel when it is brought up. If your using any dynamic protocols like eigrp or ospf, make sure that you exempt that interface from the routing table while your testing.
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 75 total points
ID: 7078236
GRE typically requires a one-to-one NAT - no PAT involved.  If you are hosting all of those services by using PAT to redirect ports off of a single IP address and then you NAT that address directly to one single inside IP for the purpose of GRE, you will kill all the PAT statements.  Do you only have one outside (public) address or is there a block of addresses that you can use?
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7078448
I think Scraig84 has hit it on the head, it does sound like you are doing PAT and the PIX definitely requires a one to one NAT per client machine for GRE.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7078463
I second geroffyn's motion that scraig84 hit the nail on the head.
0
 

Author Comment

by:erostosthenes
ID: 7079044
actually we are using both. there is a list of IPs for use on NAT, and in the case of overflow, there is one PAT IP. i sort of get the idea that using the access-list command to enable the gre turns off the access group, but i don't know enough about Pix firewall rules to be sure, nor do i know an alternative if that is the case.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 11

Expert Comment

by:geoffryn
ID: 7079076
You cannot PAT GRE.  As long as you are using static one-to-one nat for GRE per clietn, and the NATed address is not part of another NAT pool, this will work.  Here is an example of the NAT and ACL from a functioning PIX v 6.1.

(assuming no outbound ACL)


name 10.0..0.56 PPTP-HOST

access-list outside_access_in permit gre any host 12.12.12.204
access-list outside_access_in permit tcp any host 12.12.12.204 eq 1723

static (intf3,outside) 12.12.12.204 PPTP-HOST netmask 255.255.255.255 0 0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7079081
Still the same issue. As long as there is a free address in the NAT pool, a user may be able to make a connection. Once they are used up and the PAT overload takes effect, no more users can make a PPTP connection.

Can you post an example of your access-list when you attempt to enable gre? Are you applying it inbound or outbound, and to which interface?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7201869
Have any of these comments been of any help to you? Do you need more information?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7333498
It appears that you have forgotten this question. I will ask Community Support to

force close it unless you finalize it within 7 days.

** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER **

Please take a moment to revisit this question & reward your points or post additional

commentary as appropriate.  Unless there is objection or further activity.

EXPERTS, please feel free to make a recommendation for points award.

If you feel that your question was not properly addressed, or that none of the

comments received were appropriate answers, please post a request in Community support

(with a link to this page) to refund your points.  The link to the Community Support

area is: http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt

** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER **
--------------------------------------------------------------------------------------

----------
0
 
LVL 5

Expert Comment

by:Netminder
ID: 7712697
Question abandoned; force-accepted.

Netminder
EE Admin
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now