[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Outgoing VPN in Hotel Setting

Posted on 2004-09-09
7
Medium Priority
?
1,311 Views
Last Modified: 2013-11-16
I am setting up a PIX 515E in a hotel setting and I would like to allow guests VPN access back to their respective offices.  Essentially the PIX should allow VPN traffic to pass through from the hotel guest's PC back to their respective server.  There are three interfaces on the PIX:  outside (internet), inside (hotel staff), and rooms (hotel guests).

For PPTP, my understanding is that I need to open the pptp/tcp port and Protocol 47 (GRE).  I have created access rules for those between the rooms and outside interfaces, but I still can't get it to work.  Is there something else that needs to be done?
0
Comment
Question by:rsochan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12022402
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

If this does not work then the user who is trying to access his/her VPN may be using a non-standard port/software to connect.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12027910
TCP port 1723 and GRE should be all you need for PPTP VPNs, but you may need udp 500, 4500 and 10000 ports allowed through for IPSEC VPNs too.
0
 

Author Comment

by:rsochan
ID: 12028394
When I try to PPTP VPN from my laptop to my office server from home (using a simple D-Link gateway router), I have no problem.  When I try the same thing at the hotel thru the PIX firewall, the connection seems to get hung up on the verifying password part.  The document that LimeSMJ pointed me to suggests that the PIX requires more than just opening TCP/1723 and allowing GRE.  There needs to be some kind of link between the two.  I just haven't figured out how to do this in the PIX gui yet.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12039280
You need to do 'fixup pptp' as well on the PIX for this to work, and 'fixup gre' if it lets you.
0
 

Author Comment

by:rsochan
ID: 12067566
The command 'fixup pptp' does not exist, but the command 'fixup protocol pptp 1723' taken (from LimeSMJ's url link) is valid and now everything is working!  I wonder what the 'fixup' command is doing?  I know of another PIX firewall at a different location that does not have this command, and VPN using pptp works just fine over there...
 
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 1000 total points
ID: 12072322
Sorry - am doing this from memory !
The official link is here:

http://www.cisco.com/warp/public/110/pix_pptp.html

fixup pptp only came to be in PIX v6.3 - the other PIX you're talking about probably doesn't have this code release yet.
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 1000 total points
ID: 12072449
The 'fixup protocol' command is just mapping for the ASA to allow the specified application protocol(s) to the port number(s) defined.

In your case, the port for the pptp is not open by default so any pptp connection requests were denied.  By running the 'fixup protocol pptp 1723' command, you are now allowing pptp traffic to use port 1723 in the PIX.  If in the future you want to close this application port up again, just type 'no fixup protocol pptp 1723' and the PIX will block those packets again.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question