[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 336
  • Last Modified:

Cisco PIX 501 won't pass through VPN to Windows 2003 Server...error 800

Hi All,
I'm needing help getting a vpn connection through a PIX 501 to a Windows 2003 Server.  This question does not involve the Cisco VPN client software, just the normal "Create a new connection" routine in XP Pro.

From within the PIX, I can create this connection with no problems.  RRAS is solid on the server.  From outside the PIX, I get an error 800.

The current PIX access-list details are pasted below for your reference.  Any ideas?

Thanks,
Terry


pixfirewall(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list 110; 9 elements
access-list 110 line 1 permit icmp any any (hitcnt=44)
access-list 110 line 2 permit tcp any interface outside eq 3389 (hitcnt=38)
access-list 110 line 3 permit tcp any host 192.168.0.1 eq 3389 (hitcnt=0)
access-list 110 line 4 permit tcp any host 192.168.0.1 eq pcanywhere-data (hitcnt=0)
access-list 110 line 5 permit udp any host 192.168.0.1 eq pcanywhere-status (hitcnt=0)
access-list 110 line 6 permit tcp any interface outside eq pcanywhere-data (hitcnt=2)
access-list 110 line 7 permit udp any interface outside eq pcanywhere-status (hitcnt=2)
access-list 110 line 8 permit gre any host 192.168.0.1 (hitcnt=0)
access-list 110 line 9 permit ip any host 192.168.0.1 (hitcnt=0)
access-list 120; 1 elements
access-list 120 line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0)
access-list nonat; 2 elements
access-list nonat line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0)
access-list nonat line 2 permit ip 192.168.0.0 255.255.255.0 host 192.168.1.20 (hitcnt=0)
access-list 121; 1 elements
access-list 121 line 1 permit ip 192.168.0.0 255.255.255.0 host 192.168.1.20 (hitcnt=0)
pixfirewall(config)#
0
colepc
Asked:
colepc
  • 5
  • 4
1 Solution
 
wparrottCommented:
Found this on MS website:

http://support.microsoft.com/default.aspx?scid=kb;en-us;319108

What version firmware are you running on the 501?
0
 
lrmooreCommented:
You must have a 1-1 static NAT
If you are trying to use only the PIX interface as your only public IP, you will not be able to re-direct GRE to the internal server.
0
 
colepcAuthor Commented:
Version is 6.3(1)
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
colepcAuthor Commented:
lrmoore, is your 2nd statement true if there is a 1-1 static NAT?
0
 
lrmooreCommented:
The two are mutually exclusive.
Either you are using more than one public IP with one assigned to the interface and another as a 1-1 static nat to an inside host,
OR, you only have one IP address and it is assigned to the outside interface of the PIX.

You can forward tcp port 1723 to the inside server using the outside interface IP, i.e.
   static (inside,outside) tcp interface 1723 192.168.1.100 1723 netmask 255.255.255.255
This will permit you to authenticate a VPN session, but you cannot establish the GRE tunnel to actually pass traffic.

You cannot port-forward GRE protocol. It requires a 1-1 static nat
   static (inside,outside) <public ip> 192.168.1.100 netmask 255.255.255.255

You cannot use the outside interface for a 1-1 nat, you must use a 2nd IP:
  static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255
0
 
lrmooreCommented:
An alternative for you is to use the PIX itself as your PPTP server and pass authentication over to the Windows 2003 server.
Setup the PIX as the PPTP end-point:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

You can setup the Win2k3 server as a Radius server (Internet Authentication Service) to authenticate your users.
Use the Radius Authentication section in the above document to set that up.
0
 
colepcAuthor Commented:
Are your comments about having one outside ip address and using 1-1 nat consistent with the info found here:
       http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Specifically, the part of this document related to version 6.3 which mentions "You do not need to define a static mapping if the PPTP fixup protocol is enabled; you can use PAT."

I may be misintrepreting that, though.  What is your opinion?
0
 
lrmooreCommented:
The PPTP fixup is for outbound connections. If you notice in that link that comment pertains to the section on Client Inside, Server outside.

If you go further down to PPTP with Client Outside and the Server Inside, you will notice the config example clearly shows a 1-1 static nat to the PPTP inside server, with no reference to fixup.
0
 
colepcAuthor Commented:
Thanks for your help and explanations!

0
 
lrmooreCommented:
My pleasure. Thanks!
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now