Solved

Enable PPTP on PIX

Posted on 2004-03-31
39
604 Views
Last Modified: 2013-11-16
Hi,

Appreciate if anyone could provide me with instructions on how to enable the PPTP in the PIX for VPN access?

I have setup a WinXP Prof VPN Server in my LAN but couldnt figure out how to make it possible for remote clients to connect to it.

Currently running a Cisco PIX with IOS 6.0(1), using static Public IP addresses in my LAN.

I have tried this but it doesnt worked.
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723
xxx - refer to the public IP address of the VPN server.
0
Comment
Question by:desk12
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 9
  • 8
  • +4
39 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10731364
0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10732713
Here is the simple solution

PPTP

> static (inside,outside) 189.1.1.1 10.0.0.1 netmask 255.255.255.255
> access-list 101 permit tcp host 172.1.1.1 host 189.1.1.1 eq 1723
> access-list 101 permit gre host 172.1.1.1 host 189.1.1.1
> access-group 101 in interface outside

Just change the ip addresses...
I've never tried this myself....but I understand that you have to go from a static to a static IP addres...
I've been told this will not work through PAT on either end....
Let me know if you are using PAT and it works...
Thanks
good Luck
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10737514
There's a couple things you need to do here.

First, you will have to bypass all access-list checks for PPTP:

sysopt connection permit-pptp

Next, if you are using port address translation (PAT), you will need to use the "fixup" feature to make the translation work.  (If you have a static translation from the client to an outside IP, you don't need this).  The following command is for firmware versions 6.3 and above, so you'll want to upgrade your firmware.  

fixup protocol pptp 1723

Note that this last command will BREAK any PPTP VPNs configured on the PIX itself, if you have any, which it sounds like you don't.

Lastly, you will need to modify/create your access-list to allow IP protocols 47 (gre) and TCP protocol 1723 inbound from any outside host to your VPN server.

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 5

Expert Comment

by:visioneer
ID: 10737517
Now that I think about it, that fixup on port 1723 might only be needed for outbound PPTP.  I dunno, try it either way. :-)
0
 

Author Comment

by:desk12
ID: 10737553
What90 - Thanks for the url u posted, I will try it out.

Visioneer - I cant afford to upgrade the Firmware, Think you could provide me with detailed steps on what you have mentioned? Sorry, I am a newbie in networking.  How do I create the access-list for Gre (47) n pptp (1723) from any outside host to my VPN server?

Thanks.
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10737623
The firmware upgrade is free.  You download it from Cisco's site.

hawgpig was heading in the right direction, but his example would only allow one hose on the outside to access your server.

First, create your static NAT from the inside to the outside (it's gotta be a one-to-one for this to work -- you cannot use interface PAT here):

static (inside,outside) <outside_ip_address> <inside_ip_address> netmask 255.255.255.255 0 0

Next, create or modify your access list to allow the traffic inbound:

access-list outside_access_in permit gre any  host <outside_IP_address>
access-list outside_access_in permit tcp any  host <outside_IP_address> eq 1723
access-group outside_access_in in interface outside

(Obviously, you would replace <outside_IP_address> and <inside_IP_address> with real IP addresses.)
0
 

Author Comment

by:desk12
ID: 10738085
Guys,

I ran into the following error when I was using the Client notebook (winXp Pro) to do the VPN connection:

After connecting to the internet, when I click on the VPN client, the verifying username and password box, it throw me an error box saying "Disconnected
Error 619: A Connection to the remote computer could not be established, so the port used for this connection was closed.~~~~~~~~".  I can see on my VPN server(win2000 Srv) that there is some connection activity (the network icon at the lower right taskbar is blinking when the vpn client was trying to connect to it).No logs is recorded at the VPN srv even though I had configure it to log everything.

Does anyone has any idea whether the problem lies with the VPN tunnelling via the Cisco PIX or does it lies with the VPN srv configuration?

Thanks.


0
 
LVL 20

Expert Comment

by:What90
ID: 10738151
Have you set the user in Ad to have Allow access, rather than use the default user policy (which is deny access) ?
0
 

Author Comment

by:desk12
ID: 10738197
I think the error message i got above was due to the VPN srv not configure to be on AD.

http://support.microsoft.com/default.aspx?scid=kb;en-us;314485&Product=winxp


Hmm...Side track abit.

My PDC is NT 4.0 , should I configure the VPN Srv (Win2000 srv) into AD, will it have any impact on my PDC?
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10738220
In order to install Active Directory, you would have to upgrade your PDC from NT 4.0 to Windows 2000 or 2003.

On a side note, why not just configure your PIX to be the PPTP server?
0
 

Author Comment

by:desk12
ID: 10738260
How difficult would it be to configure my PIX into a PPTP srv? (* I am not familiar with Cisco stuff and dun wanna risk screwing up all the configuration in the PIX)

* My PIX current firmware is at 6.0(1), I dun have the luxury to upgrade it, is it possible to tweak it into a PPTP srv?

Thanks.
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10738284
I still don't understand why you can't flash the firmware... it doesn't cost you anything.  Do you need the instructions?

Anyway, it's pretty easy.  Here's a sample config, assuming your internal network is 10.1.69.x and your DNS/WINS server is 10.1.69.100:

      vpdn group PPTP-VPDN-GROUP accept dialin pptp
      vpdn group PPTP-VPDN-GROUP ppp authentication pap
      vpdn group PPTP-VPDN-GROUP ppp authentication chap
      vpdn group PPTP-VPDN-GROUP ppp authentication mschap
      vpdn group PPTP-VPDN-GROUP client authentication local
! this next line creates a username for PPTP access
      vpdn username testuser password testing!
! this next line creates a pool of addresses for use in this VPN
      ip local pool vpn_pool 10.1.69.200-10.1.69.250
! the next line assigns the new pool to the VPN
      vpdn group PPTP-VPDN-GROUP client configuration address local vpn_pool
! the next 2 lines configure the DNS/WINS server addresses to hand out to the clients
      vpdn group PPTP-VPDN-GROUP client configuration dns 10.1.69.100
      vpdn group PPTP-VPDN-GROUP client configuration wins 10.1.69.100
      vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
      vpdn enable outside
      access-list inside_outbound_nat0_acl line 2 permit ip 10.1.69.0 255.255.255.0  10.1.69.192 255.255.255.192
      nat (inside) 0 access-list inside_outbound_nat0_acl
      sysopt connection permit-pptp
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10738464
By the way, you can download the updated firmware and a free TFTP server to upload it with here:

http://network.esd101.net/Apps4Install/CiscoPIX/index.asp
0
 

Author Comment

by:desk12
ID: 10738521
Thanks.

My PIX was setup by a System Integrator company, according to thier network enginner (the fella whom setup the PIX for me) claims that my PIX hardware cannot support the updated firmware and that should I really need to update the firmware, I need to upgrade the PIX rams.

Is it easy to update the firmware myself? (consider the fact that I have ZERO knowledge on Cisco stuff)

The instructions you have attached seem pretty straight forward, can I try it without updating my PIX firmware?

Thanks.
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10738564
Your integrator is wrong.  Even a PIX 501 can run 633 (I know because I'm doing it on my own personal firewall and have done so on others).  The install docs say you need more RAM than the 501 has, but I have yet to have a problem with it.  So go for it.

Yes, it is easy to do the firmware upgrade.  You can try it without the upgrade, but I don't know if all the commands are supported.  But 633 fixes some bugs, so I'd upgrade it.

Place the update file (i.e., pix633.bin) on a Trivial File Transfer Protocol (TFTP) server.  There's one for download in the link.

Connect to your PIX through Telnet or through a terminal session.

From enable mode, type:

copy tftp flash

It'll ask you for the IP address of the TFTP server, and the name of the file.  Then boom, it gets the file and installs it.  When it's all done, type:

reload
0
 

Author Comment

by:desk12
ID: 10738731
Ok..i will give it a try.

Thanks.
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10738901
Legally you must purchase either SMARTnet for your PIX or Cisco P/N PIX-SW-UPGRADE before you can upgrade the firmware on your PIX.  Do not upgrade your firmware if you have not purchased one of these.

-Pascal
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10739030
Ah yes, I forgot about that.  Very good point.
0
 

Author Comment

by:desk12
ID: 10739325
ok. Will consult my System Integrator for the advise if I wanna upgrade the PIX firmware.

Thanks.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10823233
From what I understand, you have:

VPN Client
|
Internet
|
PIX
|
W2K VPN Server

?

In this case, the sysopt command on the PIX won't help, as this only opens up PPTP destined directly for the PIX itself.
What you need to do is redirect PPTP and GRE as HawPig first suggested.

Setting up the PIX as a PPTP server is very easy, as per Visioneer's comments.

:)
0
 

Author Comment

by:desk12
ID: 10823728
yup..you are right.

VPN Client
|
Internet
|
PIX
|
Winxp or NT4.0 or Win2k (configure as VPN Server)

I have tried Hawgpig instructions, I can see the VPN client tunnel thru the PIX and is trying to connect to the VPN Server but the client just timed - out during the authentication part.  Any idea what went wrong?

I would certainly like to configure my PIX as a PPTP server but can my current firmware allows me to do so? [*** My PIX current firmware is at 6.0(1) ], if yes, how do i do it?

Please advise.

Thanks.
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10825036
Go ahead and try to set it up as per the instructions already provided.  Couldn't hurt to try it.  Back up your current config first, just in case something gets wacky.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10828706
In this example, 189.1.1.1 is the INTERNAL server, 10.0.0.1 is the EXTERNAL NATted address, just to be clear:

> static (inside,outside) 189.1.1.1 10.0.0.1 netmask 255.255.255.255
> access-list 101 permit tcp host 172.1.1.1 host 189.1.1.1 eq 1723
> access-list 101 permit gre host 172.1.1.1 host 189.1.1.1
> access-group 101 in interface outside

Are there any authentication errors in the event logs of the domain controllers, or the VPN server itself ?  
Does the VPN server know to route back out via the PIX (ie not the default gateway that all the other clients use, if this is applicable ??)
0
 

Author Comment

by:desk12
ID: 10829574
Visioneer.

What does the following meant? (extract from your above instructions)
access-list inside_outbound_nat0_acl line 2 permit ip 10.1.69.0 255.255.255.0  10.1.69.192 255.255.255.192
      nat (inside) 0 access-list inside_outbound_nat0_acl

I am using Public IP addresses, so how shld my configuration be?

Thanks.
0
 

Author Comment

by:desk12
ID: 10831684
Visioneer - I tried it and did not get it to work, while configuring the PIX, i got this error "
Addresses overlap with existing Global range".....

Tim_Holman - I tried that also...the client VPN gets timed out during the authentication part.

Visioneer & Tim_Holman
I'm posting my email address (desk12@hotmail.com)
Can drop me a mail so that I can forward my sh_config to you guys?

Thanks.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10849102
To setup the PIX as a PPTP server, follow the steps here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

So, this line specifies an access list to ensure the local / inside network can get back to the PPTP clients:

access-list 101 permit ip 10.1.1.0 255.255.255.0
   192.168.1.0 255.255.255.0

This line gives the PPTP clients a pool of addresses:

ip local pool pptp-pool 192.168.1.1-192.168.1.50

This line ensures anything in access-list 101 is NOT NATted - you want the traffic to go back to the PPTP clients, NOT out to the Internet:

nat (inside) 0 access-list 101

This line ensures the PIX is ready to accept PPTP:

sysopt connection permit-pptp

These lines specifiies PPTP group settings:

vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication local

This line sets up a user:

vpdn username cisco password cisco

This line turns PPTP on:

vpdn enable outside
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10849106
To get PPTP to pass through:

You need to setup static NAT for your VPN server:

static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx 0 0

..and allow GRE and PPTP to get through to it:

access-list outside permit gre host xxx.xxx.xxx.xxx
access-list outside permit tcp host xxx.xxx.xxx.xxx eq 1723

0
 

Author Comment

by:desk12
ID: 10851788
Tim,

Thanks.  I will give both a try when I am back in office on tuesday.

Need to check with you:
When you say:

static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx 0 0
access-list outside permit gre host xxx.xxx.xxx.xxx
access-list outside permit tcp host xxx.xxx.xxx.xxx eq 1723

what does the xxx refers to? (which ip does the xxx refering to)

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10852998
xxx.xxx.xxx.xxx is the OUTSIDE address
yyy.yyy.yyy.yyy is the INSIDE address
static (inside,outside) is the other way round to what you would logically expect !!
So:

static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0
access-list outside permit gre any host xxx.xxx.xxx.xxx
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723
0
 

Author Comment

by:desk12
ID: 10853123
Tim,

ouside address...does that means it is in private ip form like 192.168.xxx.xxx?


The xxx for the below two statement, is it refering to the ip address of the VPN server?
access-list outside permit gre any host xxx.xxx.xxx.xxx
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723

Thanks.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10854506
xxx.xxx.xxx.xxx is the outside address of the VPN server - ie the address you've decided to use for NAT (you will need NAT for your VPN server to be visible to the outside world !!)
yyy.yyy.yyy.yyy is your inside address - ie real address - 192.168.xxx.xxx.
0
 

Author Comment

by:desk12
ID: 10856266
Hmmm..I can use public address for my VPN server right?

As for the below 2 statement, does the xxx refer to my VPN Server IP address?
access-list outside permit gre any host xxx.xxx.xxx.xxx
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 10858734
If you want to use the public address of the PIX, then you need to setup port redirection, so, to redirect PPTP:

static (inside,outside) tcp xxx.xxx.xxx.xxx 1723 yyy.yyy.yyy.yyy 1723 netmask 255.255.255.255 0 0

xxx.xxx.xxx.xxx is the PIX OUTSIDE address
yyy.yyy.yyy.yyy is the INSIDE address

This should be all you need to do.  You can't redirect GRE in a similar fashion as it's not TCP or UDP.

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10861496
Erp... I'm getting confused here - do you want to:

a)  Setup your PIX as a PPTP server
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

or

b)  Setup your PIX to pass through PPTP traffic to your VPN Server ?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Both solutions are quite clearly detailed in the above links, so give them a go !  You won't break anything, I promise !
0
 

Author Comment

by:desk12
ID: 10920535
Tim,

Sent you an email.  Pls check.

Thanks.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16027543
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Accept : tim_holman

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

nodisco
EE Cleanup Volunteer
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512 LAN Config 16 131
Cisco ASA VPN Client Routing 8 79
QoS on Cisco router 10 59
Unable to enable HWIC 2FE 2 29
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question