Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco PIX 501 won't pass through VPN to Windows 2003 Server...error 800

Posted on 2004-09-10
10
326 Views
Last Modified: 2010-04-11
Hi All,
I'm needing help getting a vpn connection through a PIX 501 to a Windows 2003 Server.  This question does not involve the Cisco VPN client software, just the normal "Create a new connection" routine in XP Pro.

From within the PIX, I can create this connection with no problems.  RRAS is solid on the server.  From outside the PIX, I get an error 800.

The current PIX access-list details are pasted below for your reference.  Any ideas?

Thanks,
Terry


pixfirewall(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list 110; 9 elements
access-list 110 line 1 permit icmp any any (hitcnt=44)
access-list 110 line 2 permit tcp any interface outside eq 3389 (hitcnt=38)
access-list 110 line 3 permit tcp any host 192.168.0.1 eq 3389 (hitcnt=0)
access-list 110 line 4 permit tcp any host 192.168.0.1 eq pcanywhere-data (hitcnt=0)
access-list 110 line 5 permit udp any host 192.168.0.1 eq pcanywhere-status (hitcnt=0)
access-list 110 line 6 permit tcp any interface outside eq pcanywhere-data (hitcnt=2)
access-list 110 line 7 permit udp any interface outside eq pcanywhere-status (hitcnt=2)
access-list 110 line 8 permit gre any host 192.168.0.1 (hitcnt=0)
access-list 110 line 9 permit ip any host 192.168.0.1 (hitcnt=0)
access-list 120; 1 elements
access-list 120 line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0)
access-list nonat; 2 elements
access-list nonat line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0)
access-list nonat line 2 permit ip 192.168.0.0 255.255.255.0 host 192.168.1.20 (hitcnt=0)
access-list 121; 1 elements
access-list 121 line 1 permit ip 192.168.0.0 255.255.255.0 host 192.168.1.20 (hitcnt=0)
pixfirewall(config)#
0
Comment
Question by:colepc
  • 5
  • 4
10 Comments
 
LVL 7

Expert Comment

by:wparrott
ID: 12033062
Found this on MS website:

http://support.microsoft.com/default.aspx?scid=kb;en-us;319108

What version firmware are you running on the 501?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12033909
You must have a 1-1 static NAT
If you are trying to use only the PIX interface as your only public IP, you will not be able to re-direct GRE to the internal server.
0
 

Author Comment

by:colepc
ID: 12034135
Version is 6.3(1)
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:colepc
ID: 12034137
lrmoore, is your 2nd statement true if there is a 1-1 static NAT?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12034274
The two are mutually exclusive.
Either you are using more than one public IP with one assigned to the interface and another as a 1-1 static nat to an inside host,
OR, you only have one IP address and it is assigned to the outside interface of the PIX.

You can forward tcp port 1723 to the inside server using the outside interface IP, i.e.
   static (inside,outside) tcp interface 1723 192.168.1.100 1723 netmask 255.255.255.255
This will permit you to authenticate a VPN session, but you cannot establish the GRE tunnel to actually pass traffic.

You cannot port-forward GRE protocol. It requires a 1-1 static nat
   static (inside,outside) <public ip> 192.168.1.100 netmask 255.255.255.255

You cannot use the outside interface for a 1-1 nat, you must use a 2nd IP:
  static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12034297
An alternative for you is to use the PIX itself as your PPTP server and pass authentication over to the Windows 2003 server.
Setup the PIX as the PPTP end-point:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

You can setup the Win2k3 server as a Radius server (Internet Authentication Service) to authenticate your users.
Use the Radius Authentication section in the above document to set that up.
0
 

Author Comment

by:colepc
ID: 12034701
Are your comments about having one outside ip address and using 1-1 nat consistent with the info found here:
       http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Specifically, the part of this document related to version 6.3 which mentions "You do not need to define a static mapping if the PPTP fixup protocol is enabled; you can use PAT."

I may be misintrepreting that, though.  What is your opinion?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12034906
The PPTP fixup is for outbound connections. If you notice in that link that comment pertains to the section on Client Inside, Server outside.

If you go further down to PPTP with Client Outside and the Server Inside, you will notice the config example clearly shows a 1-1 static nat to the PPTP inside server, with no reference to fixup.
0
 

Author Comment

by:colepc
ID: 12034941
Thanks for your help and explanations!

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12035058
My pleasure. Thanks!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Web site adult filtering solutions for a small LAN network 27 156
Bandwidth issues? 5 42
Sonicwall guest user accounts 2 21
MSSQL server connection  forced closed 3 38
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question