• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 628
  • Last Modified:

Configuring Microsoft VPN via Cisco PIX (ver. 5.1(4)) - continued

td_miles was alot of help on this issue (see link below)

http://www.experts-exchange.com/Security/Firewalls/Q_20793766.html#9726724

But I'm still having issues - getting a 721 error when connecting from the client computer. Using this:

access-list acl-out permit gre any host 216.xx.xx.xx
access-list acl-out permit tcp any host 216.xx.xx.xx

static (inside,outside) 216.xx.xx.xx 192.168.xx.xx netmask 255.255.255.255 0

access-group acl-out in interface outside

It worked great, but shut down all incoming access on everything else and using this:

conduit permit esp any host 216.x.x.x
conduit permit udp any eq isakmp host 216.x.x.x
conduit permit gre any host 216.x.x.x

Isn't working for me. I changed the "any" in the above to host xx.xx.xx.xx the client IP address, and still get a 721 error from the VPN client connection. Any ideas?
0
welshiv
Asked:
welshiv
  • 4
1 Solution
 
lrmooreCommented:
>216.xx.xx.xx
Is this the same IP address as your outside interface?

Try changing this:
>access-list acl-out permit tcp any host 216.xx.xx.xx

to this to be port-specific. This will keep from killing all your access:
access-list acl-out permit tcp any 1723 host 216.xx.xx.xx 1723
 
0
 
lrmooreCommented:
Wait, I just read the other link.
You are using conduits, not acls...
you should use the private IP of the host:

conduit permit esp host 192.168.x.x any
conduit permit udp eq isakmp host 192.168.x.x any
conduit permit gre host 192.168.x.x any

0
 
welshivAuthor Commented:
I did use the private IP of the host - didn't work
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
lrmooreCommented:
DOH!
Of course..
you need tcp 1723...not esp or isamkp for PPTP.

conduit permit tcp host 192.168.x.x  eq 1723 any


0
 
lrmooreCommented:
Are you still working on this? Can you update us with your status?

Thanks!
0
 
Tim HolmanCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: lrmoore

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now