Solved

Cisco PIX 501 won't pass through VPN to Windows 2003 Server...error 800

Posted on 2004-09-10
10
322 Views
Last Modified: 2010-04-11
Hi All,
I'm needing help getting a vpn connection through a PIX 501 to a Windows 2003 Server.  This question does not involve the Cisco VPN client software, just the normal "Create a new connection" routine in XP Pro.

From within the PIX, I can create this connection with no problems.  RRAS is solid on the server.  From outside the PIX, I get an error 800.

The current PIX access-list details are pasted below for your reference.  Any ideas?

Thanks,
Terry


pixfirewall(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list 110; 9 elements
access-list 110 line 1 permit icmp any any (hitcnt=44)
access-list 110 line 2 permit tcp any interface outside eq 3389 (hitcnt=38)
access-list 110 line 3 permit tcp any host 192.168.0.1 eq 3389 (hitcnt=0)
access-list 110 line 4 permit tcp any host 192.168.0.1 eq pcanywhere-data (hitcnt=0)
access-list 110 line 5 permit udp any host 192.168.0.1 eq pcanywhere-status (hitcnt=0)
access-list 110 line 6 permit tcp any interface outside eq pcanywhere-data (hitcnt=2)
access-list 110 line 7 permit udp any interface outside eq pcanywhere-status (hitcnt=2)
access-list 110 line 8 permit gre any host 192.168.0.1 (hitcnt=0)
access-list 110 line 9 permit ip any host 192.168.0.1 (hitcnt=0)
access-list 120; 1 elements
access-list 120 line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0)
access-list nonat; 2 elements
access-list nonat line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0)
access-list nonat line 2 permit ip 192.168.0.0 255.255.255.0 host 192.168.1.20 (hitcnt=0)
access-list 121; 1 elements
access-list 121 line 1 permit ip 192.168.0.0 255.255.255.0 host 192.168.1.20 (hitcnt=0)
pixfirewall(config)#
0
Comment
Question by:colepc
  • 5
  • 4
10 Comments
 
LVL 7

Expert Comment

by:wparrott
ID: 12033062
Found this on MS website:

http://support.microsoft.com/default.aspx?scid=kb;en-us;319108

What version firmware are you running on the 501?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12033909
You must have a 1-1 static NAT
If you are trying to use only the PIX interface as your only public IP, you will not be able to re-direct GRE to the internal server.
0
 

Author Comment

by:colepc
ID: 12034135
Version is 6.3(1)
0
 

Author Comment

by:colepc
ID: 12034137
lrmoore, is your 2nd statement true if there is a 1-1 static NAT?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12034274
The two are mutually exclusive.
Either you are using more than one public IP with one assigned to the interface and another as a 1-1 static nat to an inside host,
OR, you only have one IP address and it is assigned to the outside interface of the PIX.

You can forward tcp port 1723 to the inside server using the outside interface IP, i.e.
   static (inside,outside) tcp interface 1723 192.168.1.100 1723 netmask 255.255.255.255
This will permit you to authenticate a VPN session, but you cannot establish the GRE tunnel to actually pass traffic.

You cannot port-forward GRE protocol. It requires a 1-1 static nat
   static (inside,outside) <public ip> 192.168.1.100 netmask 255.255.255.255

You cannot use the outside interface for a 1-1 nat, you must use a 2nd IP:
  static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 79

Expert Comment

by:lrmoore
ID: 12034297
An alternative for you is to use the PIX itself as your PPTP server and pass authentication over to the Windows 2003 server.
Setup the PIX as the PPTP end-point:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

You can setup the Win2k3 server as a Radius server (Internet Authentication Service) to authenticate your users.
Use the Radius Authentication section in the above document to set that up.
0
 

Author Comment

by:colepc
ID: 12034701
Are your comments about having one outside ip address and using 1-1 nat consistent with the info found here:
       http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Specifically, the part of this document related to version 6.3 which mentions "You do not need to define a static mapping if the PPTP fixup protocol is enabled; you can use PAT."

I may be misintrepreting that, though.  What is your opinion?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12034906
The PPTP fixup is for outbound connections. If you notice in that link that comment pertains to the section on Client Inside, Server outside.

If you go further down to PPTP with Client Outside and the Server Inside, you will notice the config example clearly shows a 1-1 static nat to the PPTP inside server, with no reference to fixup.
0
 

Author Comment

by:colepc
ID: 12034941
Thanks for your help and explanations!

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12035058
My pleasure. Thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now