pix forwarding pptp traffic to win2k rras server

siglinp
siglinp used Ask the Experts™
on
Static (inside,outside) out_IP Inside_server_IP
conduit permit tcp host out_IP eq 1732 designated_IP

conduit permit gre host out_IP designated_IP

I have the following statement setup on the pix and traffic does not seem to flow. Is there something else that needs to be done?

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
conduit permit tcp host out_IP eq 1732 designated_IP

looks like a typo.
1732 should be 1723

conduit permit tcp host out_IP eq 1723 designated_IP

Author

Commented:
Is there any less security using conduits? I understand that this is the older way of doing things. Would the following work and would this be any better?


static (inside,outside) 208.226.72.79 192.168.1.5 netmask 255.255.255.0
access-list access_list_out permit tcp any host 208.226.72.79 eq 1723
access-list access_list_out permit gre any host 208.226.72.79
access-group access_list_out in interface outside
Sr. Systems Engineer
Top Expert 2008
Commented:
I prefer access lists. The only change to your example is the netmask on the static. It should be 255.255.255.255

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
For some reason I decided against RRAS...something else to break so I decided on doing it all through the pix with pptp. The only problem I am having now is the network is win2k and I can not browse the network by name unless I use a lmhosts file. Isn't that netbios that I need? In other words there is no wins server.
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Do you have AD DNS servers? They take place of WINS and LMHOSTS. Else you have two choices: either put LMHOSTS files on client PC's, or setup a WINS server and put the IP address in the vpdnclient setup section on the PIX.

Author

Commented:
I have AD DNS and I do have an entry on the pix for the vpn config that points to the dns server. This does not seem to help. When I add  wins I can not browse the network in net neighborhood. I can get to the server using the vnc so it kind of works but I have to do \\server\share to get to each share or \\server to browse the share. BTW remind me to buy some credits and load you up because you have been very good at giving me good pointers.

Author

Commented:
ok I have a 2610 router and the pix is connected to the 2610. now outsided traffic trying to come in on port 25 and vpn can not. I think it is stopping at the 2610. Is there something I have to set to have this traffic pass to the firewall? I have it set for dynamic routing. tried rip and eigrp and also gave it a static map on the ethernet side

service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Router
!
enable secret 5 $1$614Y$lO1AnWWJTdtMufVb5ecJ31
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface FastEthernet 0/0
 no shutdown
 description connected to EthernetLAN
 ip address 64.132.147.97 255.255.255.240
 keepalive 10
!
interface FastEthernet 0/1
 no description
 no ip address
 shutdown
!
interface Serial 0/0
 no shutdown
 description connected to Internet
 service-module t1 clock source line
 service-module t1 data-coding normal
 service-module t1 remote-loopback full
 service-module t1 framing esf
 service-module t1 linecode b8zs
 service-module t1 lbo none
 service-module t1 remote-alarm-enable
 ip address 168.215.138.94 255.255.255.252
 encapsulation ppp
!
router rip
 version 2
 network 64.0.0.0
 passive-interface Serial 0/0
 no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0/0
ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
There is nothing in the router config that will stop it. Post your PIX config...

Author

Commented:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password ujIk93/r4.1fXLPD encrypted
passwd ujIk93/r4.1fXLPD encrypted
hostname pixfirewall
domain-name rheaivy.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 172.168.1.0 255.255.255.0
access-list access_list_out permit tcp any host 64.132.147.98 eq 1723
access-list access_list_out permit gre any host 64.132.147.98
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 64.132.147.98 255.255.255.240
ip address inside 192.168.1.205 255.255.255.0
ip address dmz 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 172.168.1.1-172.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm location 10.0.0.203 255.255.255.255 dmz
pdm location 10.0.0.203 255.255.255.255 inside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.1.206 255.255.255.255 inside
pdm location 192.168.1.253 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 64.132.147.99-64.132.147.109
global (outside) 1 64.132.147.110
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) 64.132.147.100 10.0.0.203 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.253 10.0.0.203 netmask 255.255.255.255 0 0
access-group access_list_out in interface outside
route outside 0.0.0.0 0.0.0.0 64.132.147.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-server (inside) host 192.168.1.206 timeout 5 protocol TCP version 1
url-cache dst 1KB
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.1.253 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
service resetinbound
service resetoutside
vpngroup vpnuser idle-time 1800
vpngroup vpnuser password ********
telnet timeout 5
ssh timeout 5
vpdn group vpn accept dialin pptp
vpdn group vpn ppp authentication mschap
vpdn group vpn ppp encryption mppe 128 required
vpdn group vpn client configuration address local vpn
vpdn group vpn client configuration dns 192.168.1.200
vpdn group vpn client configuration wins 192.168.1.200
vpdn group vpn pptp echo 60
vpdn group vpn client authentication local
vpdn username vpnuser password password
vpdn enable outside
terminal width 80
Cryptochecksum:51db2bf5d43ff0f834850a02e998b58b
: end
[OK]
pixfirewall(config)#


this was working when I tested it at home. donno
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
>now outsided traffic trying to come in on port 25 and vpn can not

>sysopt connection permit-pptp

The above command bypasses inbound access-lists so you can remove these lines:

access-list access_list_out permit tcp any host 64.132.147.98 eq 1723
access-list access_list_out permit gre any host 64.132.147.98

assuming that .100 is your mail server, add this line to your acl:

access-list access_list_out permit tcp any host 64.132.147.100 eq smtp

And turn fixup back on unless you are running Exchange and using ESMTP commands (anti-spam filters, anti relay, etc):

>no fixup protocol smtp 25
fixup protocol smtp 25

You also have local authentication for VPN users:
>vpdn group vpn client authentication local

But, you don't have any username entries:

username user1 password xxxx
username user2 password yyyy


I think you have your statics confused, too:
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) 64.132.147.100 10.0.0.203 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.253 10.0.0.203 netmask 255.255.255.255 0 0

inside=192.168.1.x
dmz=10.0.0.x
outside=64.132.147.x

This entry means you are not using nat between the inside and the dmz. Better served with nat 0 acl
no static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

access-list 101 permit ip 192.168.1.0 255.255.255.0 172.168.1.0 255.255.255.0
access-list 101 deny ip host 192.168.1.253 host 10.0.0.203
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0


static (inside,dmz) 192.168.1.253 10.0.0.203 netmask 255.255.255.255 0 0

should read
static (inside,dmz) 10.0.0.203 192.168.1.253 netmask 255.255.255.255 0 0
But, why are you natting only this one address between the inside and the DMZ?



Author

Commented:
the one address is smtp on the dmz and I want a static from it to the exchange server on the inside.
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
The static command is a bit awkward. The syntax is:
static (higher security interface,lower security interface)<lower IP> <higher IP>

static (inside,dmz) <dmz ip> <inside ip> netmask a.b.c.d

The actual ip addresses are in the oposite order as the interfaces in the parentheses

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial