Solved

Is there any PPTP issues with the PIX 506E and is it a good solution

Posted on 2003-11-24
9
434 Views
Last Modified: 2010-04-17
I want to make this as plan as possible.  The company I work for does work for different agencies in the government.  I have only been there 3 weeks. They want a VPN solution.  Currently they have PIX 506E.  

There are two seprate networks in house that share the same default gateway of 65.X.X.1.  The in house network is 10.10.0.1 and my government network is 192.168.1.0.  On the 192.168.1.0 side there are 23 public 65.X.X.1 web/development servers. The 192 network knows nothing about the 10 network and vice verser.  The current 192 network is made up of the PIX 506E and 3com 4200 manageable switch (don't ask me why)  The portion of the T1 I have comes in off the patch panel tied back to demarc area into FE0/0 on the firewall and the FE0/1 ties into the switch for the 192.168.1.0.  

The corporate network is made up of      Internet>T1>2621>Sonic Firewall>
The Government Network is made up of  Corp T1>Patch Panel>PIX506e>3COM>users/servers

Here are the issues

1. If I attempt to ping any public address space (from any workstation on the 192.168.1.0)get no reply.  I have ICMP wide open on the firewall coming and going.  Cisco said that is because the traffic only has one way into the network and with a PIX the traffic can't come and go out the same interface.  Any suggestions.

2.  Is there any issues with the PIX 506E when it comes to VPN.  I only need for 20 remote users to connect from the outside.  Is there anything special I need to do.  Is there a base document that shows me how to create this connection.  I have researched and researched and everything I have tried from cisco dies on me using MS PPTP even using MS RADIUS server for authentication to 192.169.1.0 domain.  

These are my results from the outside world trying to ping of my public address
Tracing route to host52.XXXXXXXXXX.com [65.X.X.52]
over a maximum of 30 hops:

  1    20 ms    20 ms    20 ms  
  2    30 ms    30 ms    20 ms  
  3    20 ms    30 ms    20 ms  
  4    20 ms    30 ms    30 ms  130.81.10.90
  5    20 ms    30 ms    20 ms  dcx-edge-02.inet.qwest.net [208.46.127.253]
  6    30 ms    21 ms    20 ms  205.171.251.21
  7   230 ms    20 ms    20 ms  dcp-brdr-01.inet.qwest.net [205.171.251.30]
  8    31 ms    20 ms    20 ms  0.so-0-0-3.BR1.DCA5.ALTER.NET [204.255.168.17]
  9    30 ms    20 ms    30 ms  0.so-0-3-0.XL2.DCA5.ALTER.NET [152.63.43.178]
 10    30 ms    20 ms    20 ms  0.so-2-2-0.XL2.DCA8.ALTER.NET [152.63.41.138]
 11    20 ms    20 ms    20 ms  188.at-6-0-0.XR2.TCO1.ALTER.NET [152.63.39.254]

 12    30 ms    20 ms    30 ms  192.ATM7-0.GW7.TCO1.ALTER.NET
 13    31 ms    30 ms    30 ms  host1.XXXXXXX.com [65.X.X.1]
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.

They all die at the corporate router.  You never see the other side.  

Any idea's from a true professional would truly help me out.
I hope I have provide enough info.
 

0
Comment
Question by:deasem
  • 5
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9819875
The isses are several.
1. PPTP is not as secure as IPSEC and does not meet Gov't DITSCAP standards. AES is new standard. PIX 506e will support AES encryption with 3DES license upgrade. Highly suggest using Cisco VPN client with AES encryption over using PPTP.
2. Because you are traversing between the Internet and DoD NIPRNET, DISA - in their infinite wisdom - has closed down low ports in their Internet/Nipernet gateways. This includes TCP port 500 commonly used for IPSEC esp connections. However, the new Cisco VPn client 4.x uses UDP 4500.
3. The question becomes one of how your corporate Sonicwall handles IPSEC VPN tunnels. Since you use only one outbound IP address with PAT, the firewall must support NAT-T or NAT Transparency, or IPSEC Passthrough (all same concept)
4. If you can't ping anything out in the 'wild' from a workstation in the 192.168.1.x subnet, perhaps there is something else in front between the PIX and the 65.X.X.1 subnet, i.e. a router or another firewall. Something has to terminate the T1, and it could be blocking icmp.

I, too, have clients on government (Military) installations, and I have no problems using Cisco VPN client to connect to their PIX firewalls.
 
0
 

Author Comment

by:deasem
ID: 9819968
Lmoore
Thanks for the feedback.   Here is a copy of my config.  Please look it over.  Even If I attempt to do a simple PPTP session it dies at 65.X.X.1.  
 Saved
: Written by enable_15 at 20:26:34.931 UTC Thu Nov 20 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 76vQYcXiV2tJQDQz encrypted
passwd 76vQYcXiV2tJQDQz encrypted
hostname firembi
domain-name xxxxxxxxxxxxxxxxxx.com
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol ftp 21
fixup protocol http 80
fxup protocol sqlnet 1521
fixup protocol ils 389
names
access-list acl_in permit icmp any any  
access-list acl_in permit udp any any eq 143
access-list acl_in permit tcp any any eq imap4
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq https
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any any eq 585
access-list acl_in permit tcp any any eq 993
access-list acl_in permit udp any any eq 993
access-list acl_in permit udp any any eq 585
access-list acl_in permit tcp any any eq ssh
access-list acl_in permit tcp any any eq 8080
access-list acl_in permit udp any any eq 8080
access-list acl_in permit udp any any eq 389
access-list acl_in permit tcp any any eq ldap
access-list acl_in permit icmp any any  
access-list acl_out permit tcp any any eq imap4
access-list acl_out permit udp any any eq 143
access-list acl_out permit tcp any any eq smtp
access-list acl_out permit tcp any any eq https
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq ftp
access-list acl_out permit tcp any any eq 993
access-list acl_out permit tcp any any eq 585
access-list acl_out permit udp any any eq 585
access-list acl_out permit udp any any eq 993
access-list acl_out permit tcp any any eq ssh
access-list acl_out permit tcp any any eq 8080
access-list acl_out permit udp any any eq 8080
access-list acl_out permit udp any any eq 389
access-list acl_out permit tcp any any eq ldap
access-list NO_NATVPN permit ip 192.168.1.0 255.255.255.0 10.9.1.0 255.255.255.0
pager lines 24
logging on
logging console debugging
logging monitor debugging
logging trap notifications
logging history notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 65.X.X.60 255.255.0.0
ip address inside 192.168.1.1 255.255.0.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 10.9.1.1-10.9.1.50
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO_NATVPN
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 65.X.X.50 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.51 192.168.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.52 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.53 192.168.1.6 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.55 192.168.1.7 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.56 192.168.1.8 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.58 192.168.1.9 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.59 192.168.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.66 192.168.1.11 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.67 192.168.1.12 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.57 192.168.1.13 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.63 192.168.1.14 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.64 192.168.1.15 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.68 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.69 192.168.1.17 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.74 192.168.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.75 192.168.1.19 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.65 192.168.1.20 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.71 192.168.1.21 netmask 255.255.255.255 0 0
static (inside,outside) 65.X.X.73 192.168.1.22 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 65.X.X.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
isakmp identity address
isakmp policy 20 lifetime 86400
vpngroup MBIVKBVPN address-pool pptp-pool
vpngroup MBIVKBVPN default-domain MBIVKB.COM
vpngroup MBIVKBVPN idle-time 1800
vpngroup MBIVKBVPN password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication local
vpdn group 1 pptp echo 60
vpnd username MBIVKBVPN password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:836ce59ff90b02809db1b0eb96b3edd7

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9820047
Are you sure of these subnet masks:
ip address outside 65.X.X.60 255.255.0.0
ip address inside 192.168.1.1 255.255.0.0

I believe that you're getting blocked at the router that is your default gateway:
route outside 0.0.0.0 0.0.0.0 65.X.X.1

Because of the outbreak of MSBLAST and Welchia, many agencies have started blocking ICMP (and subsequently wreaking havoc on performance as well as our ability to troubleshoot)..

The other issue is that if the address you are trying to trace to (65.X.X.52)  does not resolve to an authorized .gov or .mil address through reverse DNS, then the trace may die anyway.

I'm assuming that you are trying to use a PPTP client at your corp HQ, connecting to the PIX 506e outside ip address, not the other way around?


0
 

Author Comment

by:deasem
ID: 9820345
This the config I inherited.  The 192.168.1.1 needs to change to /24
I have asked Corporate why the heck is the mask /16 for 65.X.X.X.  What problems can the wrong subnett mask cause.  Performance is one thing.

and based on your last question the answer is yes.  I'm using the MS PPTP client for XP.

Dease
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:deasem
ID: 9820874
Lmoore
when I made the comment about not being able to ping public addresses.  I can't ping any public address that set behind the firewall.  For expample: 65.X.X.X has private address of 192.168.1.X.  If You attempt to ping that 65 address it does respond back and technicaly they are on the same network.  The only problem I see is that 198.168.1.1 (default gateway) is the firewall instead having a router hanging off with the default gateway being a router instead of the firewall.  

Thanks
Dease
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9821505
If you are on the inside of the PIX with 192.168.1.x address, then no you cannot ping a public 65.x.x.x address that is natted (static) back to a local system. You are correct that this is a 'feature' of the PIX.
The 'alias' command can potentially help, but usually causes more headaches than it is worth.

Can you ping any public address that is not local - i.e. 198.6.1.2 (public nameserver)?
That will at least tell us if ICMP is blocked anywhere else.
0
 

Author Comment

by:deasem
ID: 9825115
Lmoore
Yeah I can ping other sites with no problem.  Like I said should I give it another default gateway instead of using the PIX as the default gateway. Place a router out there and point that traffic out or would I  need another public non 65 address to get that 192.168.1.x traffic out?
You have been a big help.  If you can't get to me today have a happy thanksgiving.

Dease
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9825488
OK, you've confused me now.
You can get out just fine to public sites, so if traffic is going out, I don't understand your comment:
>would I  need another public non 65 address to get that 192.168.1.x traffic out

Your PIX is your default gateway. It needs to stay that way.

Your issue #1 remains. You will not be able to access your internal servers by their public IP. If you (users on 192.168.1.x subnet) rely on an external DNS that always resolves to the public IP, then you need to setup an internal DNS server that resolves them to the private 192.168.1.x addresses.

I'm not sure how to address issue #2 where packets going from external source to the public IP 65.x.x.52. Unless the server that it is mapped to -i.e. 192.168.1.5 - does not have the PIX as its default gateway. Take a look at "C:\>route print" on that server..

0
 

Author Comment

by:deasem
ID: 9827105
Thanks Lmoore.  That did it thanks

Dease
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now