Solved

Outgoing VPN in Hotel Setting

Posted on 2004-09-09
7
1,303 Views
Last Modified: 2013-11-16
I am setting up a PIX 515E in a hotel setting and I would like to allow guests VPN access back to their respective offices.  Essentially the PIX should allow VPN traffic to pass through from the hotel guest's PC back to their respective server.  There are three interfaces on the PIX:  outside (internet), inside (hotel staff), and rooms (hotel guests).

For PPTP, my understanding is that I need to open the pptp/tcp port and Protocol 47 (GRE).  I have created access rules for those between the rooms and outside interfaces, but I still can't get it to work.  Is there something else that needs to be done?
0
Comment
Question by:rsochan
  • 3
  • 2
  • 2
7 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12022402
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

If this does not work then the user who is trying to access his/her VPN may be using a non-standard port/software to connect.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12027910
TCP port 1723 and GRE should be all you need for PPTP VPNs, but you may need udp 500, 4500 and 10000 ports allowed through for IPSEC VPNs too.
0
 

Author Comment

by:rsochan
ID: 12028394
When I try to PPTP VPN from my laptop to my office server from home (using a simple D-Link gateway router), I have no problem.  When I try the same thing at the hotel thru the PIX firewall, the connection seems to get hung up on the verifying password part.  The document that LimeSMJ pointed me to suggests that the PIX requires more than just opening TCP/1723 and allowing GRE.  There needs to be some kind of link between the two.  I just haven't figured out how to do this in the PIX gui yet.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12039280
You need to do 'fixup pptp' as well on the PIX for this to work, and 'fixup gre' if it lets you.
0
 

Author Comment

by:rsochan
ID: 12067566
The command 'fixup pptp' does not exist, but the command 'fixup protocol pptp 1723' taken (from LimeSMJ's url link) is valid and now everything is working!  I wonder what the 'fixup' command is doing?  I know of another PIX firewall at a different location that does not have this command, and VPN using pptp works just fine over there...
 
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 250 total points
ID: 12072322
Sorry - am doing this from memory !
The official link is here:

http://www.cisco.com/warp/public/110/pix_pptp.html

fixup pptp only came to be in PIX v6.3 - the other PIX you're talking about probably doesn't have this code release yet.
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 250 total points
ID: 12072449
The 'fixup protocol' command is just mapping for the ASA to allow the specified application protocol(s) to the port number(s) defined.

In your case, the port for the pptp is not open by default so any pptp connection requests were denied.  By running the 'fixup protocol pptp 1723' command, you are now allowing pptp traffic to use port 1723 in the PIX.  If in the future you want to close this application port up again, just type 'no fixup protocol pptp 1723' and the PIX will block those packets again.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Static IP 5 87
TMG Firewall website policy 2 162
Single domain/site being blocked.... but why and where? 10 70
Bonjour traffic not going through sonicwall fw 6 106
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question