Solved

Enable PPTP on PIX

Posted on 2004-03-31
39
570 Views
Last Modified: 2013-11-16
Hi,

Appreciate if anyone could provide me with instructions on how to enable the PPTP in the PIX for VPN access?

I have setup a WinXP Prof VPN Server in my LAN but couldnt figure out how to make it possible for remote clients to connect to it.

Currently running a Cisco PIX with IOS 6.0(1), using static Public IP addresses in my LAN.

I have tried this but it doesnt worked.
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723
xxx - refer to the public IP address of the VPN server.
0
Comment
Question by:desk12
  • 14
  • 9
  • 8
  • +4
39 Comments
 
LVL 20

Expert Comment

by:What90
Comment Utility
0
 
LVL 4

Expert Comment

by:hawgpig
Comment Utility
Here is the simple solution

PPTP
>
> static (inside,outside) 189.1.1.1 10.0.0.1 netmask 255.255.255.255
> access-list 101 permit tcp host 172.1.1.1 host 189.1.1.1 eq 1723
> access-list 101 permit gre host 172.1.1.1 host 189.1.1.1
> access-group 101 in interface outside

Just change the ip addresses...
I've never tried this myself....but I understand that you have to go from a static to a static IP addres...
I've been told this will not work through PAT on either end....
Let me know if you are using PAT and it works...
Thanks
good Luck
0
 
LVL 5

Expert Comment

by:visioneer
Comment Utility
There's a couple things you need to do here.

First, you will have to bypass all access-list checks for PPTP:

sysopt connection permit-pptp

Next, if you are using port address translation (PAT), you will need to use the "fixup" feature to make the translation work.  (If you have a static translation from the client to an outside IP, you don't need this).  The following command is for firmware versions 6.3 and above, so you'll want to upgrade your firmware.  

fixup protocol pptp 1723

Note that this last command will BREAK any PPTP VPNs configured on the PIX itself, if you have any, which it sounds like you don't.

Lastly, you will need to modify/create your access-list to allow IP protocols 47 (gre) and TCP protocol 1723 inbound from any outside host to your VPN server.

0
 
LVL 5

Expert Comment

by:visioneer
Comment Utility
Now that I think about it, that fixup on port 1723 might only be needed for outbound PPTP.  I dunno, try it either way. :-)
0
 

Author Comment

by:desk12
Comment Utility
What90 - Thanks for the url u posted, I will try it out.

Visioneer - I cant afford to upgrade the Firmware, Think you could provide me with detailed steps on what you have mentioned? Sorry, I am a newbie in networking.  How do I create the access-list for Gre (47) n pptp (1723) from any outside host to my VPN server?

Thanks.
0
 
LVL 5

Expert Comment

by:visioneer
Comment Utility
The firmware upgrade is free.  You download it from Cisco's site.

hawgpig was heading in the right direction, but his example would only allow one hose on the outside to access your server.

First, create your static NAT from the inside to the outside (it's gotta be a one-to-one for this to work -- you cannot use interface PAT here):

static (inside,outside) <outside_ip_address> <inside_ip_address> netmask 255.255.255.255 0 0

Next, create or modify your access list to allow the traffic inbound:

access-list outside_access_in permit gre any  host <outside_IP_address>
access-list outside_access_in permit tcp any  host <outside_IP_address> eq 1723
access-group outside_access_in in interface outside

(Obviously, you would replace <outside_IP_address> and <inside_IP_address> with real IP addresses.)
0
 

Author Comment

by:desk12
Comment Utility
Guys,

I ran into the following error when I was using the Client notebook (winXp Pro) to do the VPN connection:

After connecting to the internet, when I click on the VPN client, the verifying username and password box, it throw me an error box saying "Disconnected
Error 619: A Connection to the remote computer could not be established, so the port used for this connection was closed.~~~~~~~~".  I can see on my VPN server(win2000 Srv) that there is some connection activity (the network icon at the lower right taskbar is blinking when the vpn client was trying to connect to it).No logs is recorded at the VPN srv even though I had configure it to log everything.

Does anyone has any idea whether the problem lies with the VPN tunnelling via the Cisco PIX or does it lies with the VPN srv configuration?

Thanks.


0
 
LVL 20

Expert Comment

by:What90
Comment Utility
Have you set the user in Ad to have Allow access, rather than use the default user policy (which is deny access) ?
0
 

Author Comment

by:desk12
Comment Utility
I think the error message i got above was due to the VPN srv not configure to be on AD.

http://support.microsoft.com/default.aspx?scid=kb;en-us;314485&Product=winxp


Hmm...Side track abit.

My PDC is NT 4.0 , should I configure the VPN Srv (Win2000 srv) into AD, will it have any impact on my PDC?
0
 
LVL 5

Expert Comment

by:visioneer
Comment Utility
In order to install Active Directory, you would have to upgrade your PDC from NT 4.0 to Windows 2000 or 2003.

On a side note, why not just configure your PIX to be the PPTP server?
0
 

Author Comment

by:desk12
Comment Utility
How difficult would it be to configure my PIX into a PPTP srv? (* I am not familiar with Cisco stuff and dun wanna risk screwing up all the configuration in the PIX)

* My PIX current firmware is at 6.0(1), I dun have the luxury to upgrade it, is it possible to tweak it into a PPTP srv?

Thanks.
0
 
LVL 5

Expert Comment

by:visioneer
Comment Utility
I still don't understand why you can't flash the firmware... it doesn't cost you anything.  Do you need the instructions?

Anyway, it's pretty easy.  Here's a sample config, assuming your internal network is 10.1.69.x and your DNS/WINS server is 10.1.69.100:

      vpdn group PPTP-VPDN-GROUP accept dialin pptp
      vpdn group PPTP-VPDN-GROUP ppp authentication pap
      vpdn group PPTP-VPDN-GROUP ppp authentication chap
      vpdn group PPTP-VPDN-GROUP ppp authentication mschap
      vpdn group PPTP-VPDN-GROUP client authentication local
! this next line creates a username for PPTP access
      vpdn username testuser password testing!
! this next line creates a pool of addresses for use in this VPN
      ip local pool vpn_pool 10.1.69.200-10.1.69.250
! the next line assigns the new pool to the VPN
      vpdn group PPTP-VPDN-GROUP client configuration address local vpn_pool
! the next 2 lines configure the DNS/WINS server addresses to hand out to the clients
      vpdn group PPTP-VPDN-GROUP client configuration dns 10.1.69.100
      vpdn group PPTP-VPDN-GROUP client configuration wins 10.1.69.100
      vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
      vpdn enable outside
      access-list inside_outbound_nat0_acl line 2 permit ip 10.1.69.0 255.255.255.0  10.1.69.192 255.255.255.192
      nat (inside) 0 access-list inside_outbound_nat0_acl
      sysopt connection permit-pptp
0
 
LVL 5

Expert Comment

by:visioneer
Comment Utility
By the way, you can download the updated firmware and a free TFTP server to upload it with here:

http://network.esd101.net/Apps4Install/CiscoPIX/index.asp
0
 

Author Comment

by:desk12
Comment Utility
Thanks.

My PIX was setup by a System Integrator company, according to thier network enginner (the fella whom setup the PIX for me) claims that my PIX hardware cannot support the updated firmware and that should I really need to update the firmware, I need to upgrade the PIX rams.

Is it easy to update the firmware myself? (consider the fact that I have ZERO knowledge on Cisco stuff)

The instructions you have attached seem pretty straight forward, can I try it without updating my PIX firmware?

Thanks.
0
 
LVL 5

Expert Comment

by:visioneer
Comment Utility
Your integrator is wrong.  Even a PIX 501 can run 633 (I know because I'm doing it on my own personal firewall and have done so on others).  The install docs say you need more RAM than the 501 has, but I have yet to have a problem with it.  So go for it.

Yes, it is easy to do the firmware upgrade.  You can try it without the upgrade, but I don't know if all the commands are supported.  But 633 fixes some bugs, so I'd upgrade it.

Place the update file (i.e., pix633.bin) on a Trivial File Transfer Protocol (TFTP) server.  There's one for download in the link.

Connect to your PIX through Telnet or through a terminal session.

From enable mode, type:

copy tftp flash

It'll ask you for the IP address of the TFTP server, and the name of the file.  Then boom, it gets the file and installs it.  When it's all done, type:

reload
0
 

Author Comment

by:desk12
Comment Utility
Ok..i will give it a try.

Thanks.
0
 
LVL 6

Expert Comment

by:Pascal666
Comment Utility
Legally you must purchase either SMARTnet for your PIX or Cisco P/N PIX-SW-UPGRADE before you can upgrade the firmware on your PIX.  Do not upgrade your firmware if you have not purchased one of these.

-Pascal
0
 
LVL 5

Expert Comment

by:visioneer
Comment Utility
Ah yes, I forgot about that.  Very good point.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:desk12
Comment Utility
ok. Will consult my System Integrator for the advise if I wanna upgrade the PIX firmware.

Thanks.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
From what I understand, you have:

VPN Client
|
Internet
|
PIX
|
W2K VPN Server

?

In this case, the sysopt command on the PIX won't help, as this only opens up PPTP destined directly for the PIX itself.
What you need to do is redirect PPTP and GRE as HawPig first suggested.

Setting up the PIX as a PPTP server is very easy, as per Visioneer's comments.

:)
0
 

Author Comment

by:desk12
Comment Utility
yup..you are right.

VPN Client
|
Internet
|
PIX
|
Winxp or NT4.0 or Win2k (configure as VPN Server)

I have tried Hawgpig instructions, I can see the VPN client tunnel thru the PIX and is trying to connect to the VPN Server but the client just timed - out during the authentication part.  Any idea what went wrong?

I would certainly like to configure my PIX as a PPTP server but can my current firmware allows me to do so? [*** My PIX current firmware is at 6.0(1) ], if yes, how do i do it?

Please advise.

Thanks.
0
 
LVL 5

Expert Comment

by:visioneer
Comment Utility
Go ahead and try to set it up as per the instructions already provided.  Couldn't hurt to try it.  Back up your current config first, just in case something gets wacky.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
In this example, 189.1.1.1 is the INTERNAL server, 10.0.0.1 is the EXTERNAL NATted address, just to be clear:

> static (inside,outside) 189.1.1.1 10.0.0.1 netmask 255.255.255.255
> access-list 101 permit tcp host 172.1.1.1 host 189.1.1.1 eq 1723
> access-list 101 permit gre host 172.1.1.1 host 189.1.1.1
> access-group 101 in interface outside

Are there any authentication errors in the event logs of the domain controllers, or the VPN server itself ?  
Does the VPN server know to route back out via the PIX (ie not the default gateway that all the other clients use, if this is applicable ??)
0
 

Author Comment

by:desk12
Comment Utility
Visioneer.

What does the following meant? (extract from your above instructions)
access-list inside_outbound_nat0_acl line 2 permit ip 10.1.69.0 255.255.255.0  10.1.69.192 255.255.255.192
      nat (inside) 0 access-list inside_outbound_nat0_acl

I am using Public IP addresses, so how shld my configuration be?

Thanks.
0
 

Author Comment

by:desk12
Comment Utility
Visioneer - I tried it and did not get it to work, while configuring the PIX, i got this error "
Addresses overlap with existing Global range".....

Tim_Holman - I tried that also...the client VPN gets timed out during the authentication part.

Visioneer & Tim_Holman
I'm posting my email address (desk12@hotmail.com)
Can drop me a mail so that I can forward my sh_config to you guys?

Thanks.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
To setup the PIX as a PPTP server, follow the steps here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

So, this line specifies an access list to ensure the local / inside network can get back to the PPTP clients:

access-list 101 permit ip 10.1.1.0 255.255.255.0
   192.168.1.0 255.255.255.0

This line gives the PPTP clients a pool of addresses:

ip local pool pptp-pool 192.168.1.1-192.168.1.50

This line ensures anything in access-list 101 is NOT NATted - you want the traffic to go back to the PPTP clients, NOT out to the Internet:

nat (inside) 0 access-list 101

This line ensures the PIX is ready to accept PPTP:

sysopt connection permit-pptp

These lines specifiies PPTP group settings:

vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication local

This line sets up a user:

vpdn username cisco password cisco

This line turns PPTP on:

vpdn enable outside
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
To get PPTP to pass through:

You need to setup static NAT for your VPN server:

static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx 0 0

..and allow GRE and PPTP to get through to it:

access-list outside permit gre host xxx.xxx.xxx.xxx
access-list outside permit tcp host xxx.xxx.xxx.xxx eq 1723

0
 

Author Comment

by:desk12
Comment Utility
Tim,

Thanks.  I will give both a try when I am back in office on tuesday.

Need to check with you:
When you say:

static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx 0 0
access-list outside permit gre host xxx.xxx.xxx.xxx
access-list outside permit tcp host xxx.xxx.xxx.xxx eq 1723

what does the xxx refers to? (which ip does the xxx refering to)

0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
xxx.xxx.xxx.xxx is the OUTSIDE address
yyy.yyy.yyy.yyy is the INSIDE address
static (inside,outside) is the other way round to what you would logically expect !!
So:

static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0
access-list outside permit gre any host xxx.xxx.xxx.xxx
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723
0
 

Author Comment

by:desk12
Comment Utility
Tim,

ouside address...does that means it is in private ip form like 192.168.xxx.xxx?


The xxx for the below two statement, is it refering to the ip address of the VPN server?
access-list outside permit gre any host xxx.xxx.xxx.xxx
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723

Thanks.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
xxx.xxx.xxx.xxx is the outside address of the VPN server - ie the address you've decided to use for NAT (you will need NAT for your VPN server to be visible to the outside world !!)
yyy.yyy.yyy.yyy is your inside address - ie real address - 192.168.xxx.xxx.
0
 

Author Comment

by:desk12
Comment Utility
Hmmm..I can use public address for my VPN server right?

As for the below 2 statement, does the xxx refer to my VPN Server IP address?
access-list outside permit gre any host xxx.xxx.xxx.xxx
access-list outside permit tcp any host xxx.xxx.xxx.xxx eq 1723
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
Comment Utility
If you want to use the public address of the PIX, then you need to setup port redirection, so, to redirect PPTP:

static (inside,outside) tcp xxx.xxx.xxx.xxx 1723 yyy.yyy.yyy.yyy 1723 netmask 255.255.255.255 0 0

xxx.xxx.xxx.xxx is the PIX OUTSIDE address
yyy.yyy.yyy.yyy is the INSIDE address

This should be all you need to do.  You can't redirect GRE in a similar fashion as it's not TCP or UDP.

0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Erp... I'm getting confused here - do you want to:

a)  Setup your PIX as a PPTP server
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

or

b)  Setup your PIX to pass through PPTP traffic to your VPN Server ?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Both solutions are quite clearly detailed in the above links, so give them a go !  You won't break anything, I promise !
0
 

Author Comment

by:desk12
Comment Utility
Tim,

Sent you an email.  Pls check.

Thanks.
0
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Accept : tim_holman

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

nodisco
EE Cleanup Volunteer
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now