Solved

Outgoing VPN in Hotel Setting

Posted on 2004-09-09
7
1,300 Views
Last Modified: 2013-11-16
I am setting up a PIX 515E in a hotel setting and I would like to allow guests VPN access back to their respective offices.  Essentially the PIX should allow VPN traffic to pass through from the hotel guest's PC back to their respective server.  There are three interfaces on the PIX:  outside (internet), inside (hotel staff), and rooms (hotel guests).

For PPTP, my understanding is that I need to open the pptp/tcp port and Protocol 47 (GRE).  I have created access rules for those between the rooms and outside interfaces, but I still can't get it to work.  Is there something else that needs to be done?
0
Comment
Question by:rsochan
  • 3
  • 2
  • 2
7 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
Comment Utility
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

If this does not work then the user who is trying to access his/her VPN may be using a non-standard port/software to connect.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
TCP port 1723 and GRE should be all you need for PPTP VPNs, but you may need udp 500, 4500 and 10000 ports allowed through for IPSEC VPNs too.
0
 

Author Comment

by:rsochan
Comment Utility
When I try to PPTP VPN from my laptop to my office server from home (using a simple D-Link gateway router), I have no problem.  When I try the same thing at the hotel thru the PIX firewall, the connection seems to get hung up on the verifying password part.  The document that LimeSMJ pointed me to suggests that the PIX requires more than just opening TCP/1723 and allowing GRE.  There needs to be some kind of link between the two.  I just haven't figured out how to do this in the PIX gui yet.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
You need to do 'fixup pptp' as well on the PIX for this to work, and 'fixup gre' if it lets you.
0
 

Author Comment

by:rsochan
Comment Utility
The command 'fixup pptp' does not exist, but the command 'fixup protocol pptp 1723' taken (from LimeSMJ's url link) is valid and now everything is working!  I wonder what the 'fixup' command is doing?  I know of another PIX firewall at a different location that does not have this command, and VPN using pptp works just fine over there...
 
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 250 total points
Comment Utility
Sorry - am doing this from memory !
The official link is here:

http://www.cisco.com/warp/public/110/pix_pptp.html

fixup pptp only came to be in PIX v6.3 - the other PIX you're talking about probably doesn't have this code release yet.
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 250 total points
Comment Utility
The 'fixup protocol' command is just mapping for the ASA to allow the specified application protocol(s) to the port number(s) defined.

In your case, the port for the pptp is not open by default so any pptp connection requests were denied.  By running the 'fixup protocol pptp 1723' command, you are now allowing pptp traffic to use port 1723 in the PIX.  If in the future you want to close this application port up again, just type 'no fixup protocol pptp 1723' and the PIX will block those packets again.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Firewall question 5 90
Do I need a hardware firewall? 12 73
Trojan blocked 11 81
Need a command to show the firewall rules for port 3389 8 55
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video discusses moving either the default database or any database to a new volume.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now