Solved

Outgoing VPN in Hotel Setting

Posted on 2004-09-09
7
1,302 Views
Last Modified: 2013-11-16
I am setting up a PIX 515E in a hotel setting and I would like to allow guests VPN access back to their respective offices.  Essentially the PIX should allow VPN traffic to pass through from the hotel guest's PC back to their respective server.  There are three interfaces on the PIX:  outside (internet), inside (hotel staff), and rooms (hotel guests).

For PPTP, my understanding is that I need to open the pptp/tcp port and Protocol 47 (GRE).  I have created access rules for those between the rooms and outside interfaces, but I still can't get it to work.  Is there something else that needs to be done?
0
Comment
Question by:rsochan
  • 3
  • 2
  • 2
7 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12022402
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

If this does not work then the user who is trying to access his/her VPN may be using a non-standard port/software to connect.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12027910
TCP port 1723 and GRE should be all you need for PPTP VPNs, but you may need udp 500, 4500 and 10000 ports allowed through for IPSEC VPNs too.
0
 

Author Comment

by:rsochan
ID: 12028394
When I try to PPTP VPN from my laptop to my office server from home (using a simple D-Link gateway router), I have no problem.  When I try the same thing at the hotel thru the PIX firewall, the connection seems to get hung up on the verifying password part.  The document that LimeSMJ pointed me to suggests that the PIX requires more than just opening TCP/1723 and allowing GRE.  There needs to be some kind of link between the two.  I just haven't figured out how to do this in the PIX gui yet.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12039280
You need to do 'fixup pptp' as well on the PIX for this to work, and 'fixup gre' if it lets you.
0
 

Author Comment

by:rsochan
ID: 12067566
The command 'fixup pptp' does not exist, but the command 'fixup protocol pptp 1723' taken (from LimeSMJ's url link) is valid and now everything is working!  I wonder what the 'fixup' command is doing?  I know of another PIX firewall at a different location that does not have this command, and VPN using pptp works just fine over there...
 
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 250 total points
ID: 12072322
Sorry - am doing this from memory !
The official link is here:

http://www.cisco.com/warp/public/110/pix_pptp.html

fixup pptp only came to be in PIX v6.3 - the other PIX you're talking about probably doesn't have this code release yet.
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 250 total points
ID: 12072449
The 'fixup protocol' command is just mapping for the ASA to allow the specified application protocol(s) to the port number(s) defined.

In your case, the port for the pptp is not open by default so any pptp connection requests were denied.  By running the 'fixup protocol pptp 1723' command, you are now allowing pptp traffic to use port 1723 in the PIX.  If in the future you want to close this application port up again, just type 'no fixup protocol pptp 1723' and the PIX will block those packets again.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 firewall service won't start 5 201
Sonicwall Traffic 17 83
iptables limit connection per ip correct way ? 2 94
Firewall blocking images 4 39
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now