Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 625
  • Last Modified:

Enable PPTP on PIX

Hi,

Appreciate if anyone could provide me with instructions on how to enable the PPTP in the PIX for VPN access?

I have setup a WinXP Prof VPN Server in my LAN but couldnt figure out how to make it possible for remote clients to connect to it.

Currently running a Cisco PIX with IOS 6.0(1), using static Public IP addresses in my LAN.

I have tried this but it doesnt worked.
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723
xxx - refer to the public IP address of the VPN server.
0
desk12
Asked:
desk12
  • 14
  • 9
  • 8
  • +4
1 Solution
 
hawgpigCommented:
Here is the simple solution

PPTP

> static (inside,outside) 189.1.1.1 10.0.0.1 netmask 255.255.255.255
> access-list 101 permit tcp host 172.1.1.1 host 189.1.1.1 eq 1723
> access-list 101 permit gre host 172.1.1.1 host 189.1.1.1
> access-group 101 in interface outside

Just change the ip addresses...
I've never tried this myself....but I understand that you have to go from a static to a static IP addres...
I've been told this will not work through PAT on either end....
Let me know if you are using PAT and it works...
Thanks
good Luck
0
 
visioneerCommented:
There's a couple things you need to do here.

First, you will have to bypass all access-list checks for PPTP:

sysopt connection permit-pptp

Next, if you are using port address translation (PAT), you will need to use the "fixup" feature to make the translation work.  (If you have a static translation from the client to an outside IP, you don't need this).  The following command is for firmware versions 6.3 and above, so you'll want to upgrade your firmware.  

fixup protocol pptp 1723

Note that this last command will BREAK any PPTP VPNs configured on the PIX itself, if you have any, which it sounds like you don't.

Lastly, you will need to modify/create your access-list to allow IP protocols 47 (gre) and TCP protocol 1723 inbound from any outside host to your VPN server.

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
visioneerCommented:
Now that I think about it, that fixup on port 1723 might only be needed for outbound PPTP.  I dunno, try it either way. :-)
0
 
desk12Author Commented:
What90 - Thanks for the url u posted, I will try it out.

Visioneer - I cant afford to upgrade the Firmware, Think you could provide me with detailed steps on what you have mentioned? Sorry, I am a newbie in networking.  How do I create the access-list for Gre (47) n pptp (1723) from any outside host to my VPN server?

Thanks.
0
 
visioneerCommented:
The firmware upgrade is free.  You download it from Cisco's site.

hawgpig was heading in the right direction, but his example would only allow one hose on the outside to access your server.

First, create your static NAT from the inside to the outside (it's gotta be a one-to-one for this to work -- you cannot use interface PAT here):

static (inside,outside) <outside_ip_address> <inside_ip_address> netmask 255.255.255.255 0 0

Next, create or modify your access list to allow the traffic inbound:

access-list outside_access_in permit gre any  host <outside_IP_address>
access-list outside_access_in permit tcp any  host <outside_IP_address> eq 1723
access-group outside_access_in in interface outside

(Obviously, you would replace <outside_IP_address> and <inside_IP_address> with real IP addresses.)
0
 
desk12Author Commented:
Guys,

I ran into the following error when I was using the Client notebook (winXp Pro) to do the VPN connection:

After connecting to the internet, when I click on the VPN client, the verifying username and password box, it throw me an error box saying "Disconnected
Error 619: A Connection to the remote computer could not be established, so the port used for this connection was closed.~~~~~~~~".  I can see on my VPN server(win2000 Srv) that there is some connection activity (the network icon at the lower right taskbar is blinking when the vpn client was trying to connect to it).No logs is recorded at the VPN srv even though I had configure it to log everything.

Does anyone has any idea whether the problem lies with the VPN tunnelling via the Cisco PIX or does it lies with the VPN srv configuration?

Thanks.


0
 
What90Commented:
Have you set the user in Ad to have Allow access, rather than use the default user policy (which is deny access) ?
0
 
desk12Author Commented:
I think the error message i got above was due to the VPN srv not configure to be on AD.

http://support.microsoft.com/default.aspx?scid=kb;en-us;314485&Product=winxp


Hmm...Side track abit.

My PDC is NT 4.0 , should I configure the VPN Srv (Win2000 srv) into AD, will it have any impact on my PDC?
0
 
visioneerCommented:
In order to install Active Directory, you would have to upgrade your PDC from NT 4.0 to Windows 2000 or 2003.

On a side note, why not just configure your PIX to be the PPTP server?
0
 
desk12Author Commented:
How difficult would it be to configure my PIX into a PPTP srv? (* I am not familiar with Cisco stuff and dun wanna risk screwing up all the configuration in the PIX)

* My PIX current firmware is at 6.0(1), I dun have the luxury to upgrade it, is it possible to tweak it into a PPTP srv?

Thanks.
0
 
visioneerCommented:
I still don't understand why you can't flash the firmware... it doesn't cost you anything.  Do you need the instructions?

Anyway, it's pretty easy.  Here's a sample config, assuming your internal network is 10.1.69.x and your DNS/WINS server is 10.1.69.100:

      vpdn group PPTP-VPDN-GROUP accept dialin pptp
      vpdn group PPTP-VPDN-GROUP ppp authentication pap
      vpdn group PPTP-VPDN-GROUP ppp authentication chap
      vpdn group PPTP-VPDN-GROUP ppp authentication mschap
      vpdn group PPTP-VPDN-GROUP client authentication local
! this next line creates a username for PPTP access
      vpdn username testuser password testing!
! this next line creates a pool of addresses for use in this VPN
      ip local pool vpn_pool 10.1.69.200-10.1.69.250
! the next line assigns the new pool to the VPN
      vpdn group PPTP-VPDN-GROUP client configuration address local vpn_pool
! the next 2 lines configure the DNS/WINS server addresses to hand out to the clients
      vpdn group PPTP-VPDN-GROUP client configuration dns 10.1.69.100
      vpdn group PPTP-VPDN-GROUP client configuration wins 10.1.69.100
      vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
      vpdn enable outside
      access-list inside_outbound_nat0_acl line 2 permit ip 10.1.69.0 255.255.255.0  10.1.69.192 255.255.255.192
      nat (inside) 0 access-list inside_outbound_nat0_acl
      sysopt connection permit-pptp
0
 
visioneerCommented:
By the way, you can download the updated firmware and a free TFTP server to upload it with here:

http://network.esd101.net/Apps4Install/CiscoPIX/index.asp
0
 
desk12Author Commented:
Thanks.

My PIX was setup by a System Integrator company, according to thier network enginner (the fella whom setup the PIX for me) claims that my PIX hardware cannot support the updated firmware and that should I really need to update the firmware, I need to upgrade the PIX rams.

Is it easy to update the firmware myself? (consider the fact that I have ZERO knowledge on Cisco stuff)

The instructions you have attached seem pretty straight forward, can I try it without updating my PIX firmware?

Thanks.
0
 
visioneerCommented:
Your integrator is wrong.  Even a PIX 501 can run 633 (I know because I'm doing it on my own personal firewall and have done so on others).  The install docs say you need more RAM than the 501 has, but I have yet to have a problem with it.  So go for it.

Yes, it is easy to do the firmware upgrade.  You can try it without the upgrade, but I don't know if all the commands are supported.  But 633 fixes some bugs, so I'd upgrade it.

Place the update file (i.e., pix633.bin) on a Trivial File Transfer Protocol (TFTP) server.  There's one for download in the link.

Connect to your PIX through Telnet or through a terminal session.

From enable mode, type:

copy tftp flash

It'll ask you for the IP address of the TFTP server, and the name of the file.  Then boom, it gets the file and installs it.  When it's all done, type:

reload
0
 
desk12Author Commented:
Ok..i will give it a try.

Thanks.
0
 
Pascal666Commented:
Legally you must purchase either SMARTnet for your PIX or Cisco P/N PIX-SW-UPGRADE before you can upgrade the firmware on your PIX.  Do not upgrade your firmware if you have not purchased one of these.

-Pascal
0
 
visioneerCommented:
Ah yes, I forgot about that.  Very good point.
0
 
desk12Author Commented:
ok. Will consult my System Integrator for the advise if I wanna upgrade the PIX firmware.

Thanks.
0
 
Tim HolmanCommented:
From what I understand, you have:

VPN Client
|
Internet
|
PIX
|
W2K VPN Server

?

In this case, the sysopt command on the PIX won't help, as this only opens up PPTP destined directly for the PIX itself.
What you need to do is redirect PPTP and GRE as HawPig first suggested.

Setting up the PIX as a PPTP server is very easy, as per Visioneer's comments.

:)
0
 
desk12Author Commented:
yup..you are right.

VPN Client
|
Internet
|
PIX
|
Winxp or NT4.0 or Win2k (configure as VPN Server)

I have tried Hawgpig instructions, I can see the VPN client tunnel thru the PIX and is trying to connect to the VPN Server but the client just timed - out during the authentication part.  Any idea what went wrong?

I would certainly like to configure my PIX as a PPTP server but can my current firmware allows me to do so? [*** My PIX current firmware is at 6.0(1) ], if yes, how do i do it?

Please advise.

Thanks.
0
 
visioneerCommented:
Go ahead and try to set it up as per the instructions already provided.  Couldn't hurt to try it.  Back up your current config first, just in case something gets wacky.
0
 
Tim HolmanCommented:
In this example, 189.1.1.1 is the INTERNAL server, 10.0.0.1 is the EXTERNAL NATted address, just to be clear:

> static (inside,outside) 189.1.1.1 10.0.0.1 netmask 255.255.255.255
> access-list 101 permit tcp host 172.1.1.1 host 189.1.1.1 eq 1723
> access-list 101 permit gre host 172.1.1.1 host 189.1.1.1
> access-group 101 in interface outside

Are there any authentication errors in the event logs of the domain controllers, or the VPN server itself ?  
Does the VPN server know to route back out via the PIX (ie not the default gateway that all the other clients use, if this is applicable ??)
0
 
desk12Author Commented:
Visioneer.

What does the following meant? (extract from your above instructions)
access-list inside_outbound_nat0_acl line 2 permit ip 10.1.69.0 255.255.255.0  10.1.69.192 255.255.255.192
      nat (inside) 0 access-list inside_outbound_nat0_acl

I am using Public IP addresses, so how shld my configuration be?

Thanks.
0
 
desk12Author Commented:
Visioneer - I tried it and did not get it to work, while configuring the PIX, i got this error "
Addresses overlap with existing Global range".....

Tim_Holman - I tried that also...the client VPN gets timed out during the authentication part.

Visioneer & Tim_Holman
I'm posting my email address (desk12@hotmail.com)
Can drop me a mail so that I can forward my sh_config to you guys?

Thanks.
0
 
Tim HolmanCommented:
To setup the PIX as a PPTP server, follow the steps here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

So, this line specifies an access list to ensure the local / inside network can get back to the PPTP clients:

access-list 101 permit ip 10.1.1.0 255.255.255.0
   192.168.1.0 255.255.255.0

This line gives the PPTP clients a pool of addresses:

ip local pool pptp-pool 192.168.1.1-192.168.1.50

This line ensures anything in access-list 101 is NOT NATted - you want the traffic to go back to the PPTP clients, NOT out to the Internet:

nat (inside) 0 access-list 101

This line ensures the PIX is ready to accept PPTP:

sysopt connection permit-pptp

These lines specifiies PPTP group settings:

vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication local

This line sets up a user:

vpdn username cisco password cisco

This line turns PPTP on:

vpdn enable outside
0
 
Tim HolmanCommented:
To get PPTP to pass through:

You need to setup static NAT for your VPN server:

static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx 0 0

..and allow GRE and PPTP to get through to it:

access-list outside permit gre host xxx.xxx.xxx.xxx
access-list outside permit tcp host xxx.xxx.xxx.xxx eq 1723

0
 
desk12Author Commented:
Tim,

Thanks.  I will give both a try when I am back in office on tuesday.

Need to check with you:
When you say:

static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx 0 0
access-list outside permit gre host xxx.xxx.xxx.xxx
access-list outside permit tcp host xxx.xxx.xxx.xxx eq 1723

what does the xxx refers to? (which ip does the xxx refering to)

0
 
Tim HolmanCommented:
xxx.xxx.xxx.xxx is the OUTSIDE address
yyy.yyy.yyy.yyy is the INSIDE address
static (inside,outside) is the other way round to what you would logically expect !!
So:

static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0
access-list outside permit gre any host xxx.xxx.xxx.xxx
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723
0
 
desk12Author Commented:
Tim,

ouside address...does that means it is in private ip form like 192.168.xxx.xxx?


The xxx for the below two statement, is it refering to the ip address of the VPN server?
access-list outside permit gre any host xxx.xxx.xxx.xxx
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723

Thanks.
0
 
Tim HolmanCommented:
xxx.xxx.xxx.xxx is the outside address of the VPN server - ie the address you've decided to use for NAT (you will need NAT for your VPN server to be visible to the outside world !!)
yyy.yyy.yyy.yyy is your inside address - ie real address - 192.168.xxx.xxx.
0
 
desk12Author Commented:
Hmmm..I can use public address for my VPN server right?

As for the below 2 statement, does the xxx refer to my VPN Server IP address?
access-list outside permit gre any host xxx.xxx.xxx.xxx
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723
0
 
Tim HolmanCommented:
If you want to use the public address of the PIX, then you need to setup port redirection, so, to redirect PPTP:

static (inside,outside) tcp xxx.xxx.xxx.xxx 1723 yyy.yyy.yyy.yyy 1723 netmask 255.255.255.255 0 0

xxx.xxx.xxx.xxx is the PIX OUTSIDE address
yyy.yyy.yyy.yyy is the INSIDE address

This should be all you need to do.  You can't redirect GRE in a similar fashion as it's not TCP or UDP.

0
 
Tim HolmanCommented:
Erp... I'm getting confused here - do you want to:

a)  Setup your PIX as a PPTP server
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

or

b)  Setup your PIX to pass through PPTP traffic to your VPN Server ?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Both solutions are quite clearly detailed in the above links, so give them a go !  You won't break anything, I promise !
0
 
desk12Author Commented:
Tim,

Sent you an email.  Pls check.

Thanks.
0
 
nodiscoCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Accept : tim_holman

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

nodisco
EE Cleanup Volunteer
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 14
  • 9
  • 8
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now