[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 832
  • Last Modified:

PPTP server configuration on PIX

I need to configure my PIX firewall 525 as a PPTP server for four different VPN connections . Can someone help me with this on how to do it and what all details should I have from the four vendors to which the VPN connection will be made.
0
Kevin_J
Asked:
Kevin_J
  • 16
  • 14
1 Solution
 
lrmooreCommented:
Here's a good step-by-step
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

Let me know if you get stuck or have a specific question on something.

0
 
Kevin_JAuthor Commented:
I did look up that page but its confusing.

Fore example I have a vender that has 3 IP's to access the company network.

24.77.191.243
24.77.191.242
67.69.16.168

I do have one username for all.


vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp authentication pap


Which auntentication should I use and  in which command I should give  the IP addresses of the vendors

vpdn group 1 ppp encryption mppe 40|128|auto ==>Is it necessary to use this command and what bit
should i use

They have given access-lists in the configuration which I didnt follow.

I am confused about how to configure the PPTP
0
 
lrmooreCommented:
OK, lets start with the basics:

<=== assign a pool of IP addresses to be used by the clients (adjust as you need)
   ip local pool pptp-pool 192.168.11.1-192.168.11.50

<=== create a nat_zero access-list to bypass nat for traffic to/from this client IP pool to your lan (192.168.100.0)
   access-list nat_zero permit ip 192.168.100.0 255.255.255.0 192.168.11.0 255.255.255.0
   nat (inside) 0 access-list nat_zero

<== enable sysopt (we can replace this later with access-list restricting to only their IP addresses)
sysopt connection permit-pptp

vpdn group 1 accept dialin pptp <== required
vpdn group 1 ppp authentication pap  <== won't hurt to set them all
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto  <== chose "auto"
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication local
vpdn username cisco password cisco <== this will be the common username/password
vpdn enable outside

That's really all there is to it....

You can use the nat_zero access-list to further refine the access that's granted the clients.
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
Kevin_JAuthor Commented:
Thank You. In my case there are 3 IP addresses for one vendor

24.77.191.243
24.77.191.242
67.69.16.168

So how will I give it in the pool
0
 
lrmooreCommented:
Use a private IP range. This just gives the client an IP address out of a pool that only you can get to
Once you get them working, then we'll restrict the access to just those three IP's.. right now, anyone could connect (assuming they know the outside IP of the PIX, and the username/password...)
0
 
Kevin_JAuthor Commented:
So should I let the vendors  know that my pool is 192.168.x.1-192.168.x.50 and they have to connect using this range. But I have a feeling they might not want to change their setting.So is there any way they can connect using their IP addresses itself
0
 
lrmooreCommented:
They don't have to change anything. They don't have to know. When they launch their client to connect, the client will be given an IP address out of this pool. That's just the way it works..
0
 
Kevin_JAuthor Commented:
Oh sorry I misunderstood the whole concept. Now its clear to me.

 I did discuss it with my boss and he said that for security reasons we should only assign the the IP addresses of the networks of the vendors to have VPN  access .Is there a command so that we can limit the VPN access only to the IP  addresses of the networks we want to connect to us.
0
 
lrmooreCommented:
Yes. As I aluded to earlier, we can replace the global "sysopt permit-pptp" with access-lists, i.e.
Something like this added to your exsisting access-list:

access-list outside_in permit tcp host 24.77.191.243 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 24.77.191.243  any
access-list outside_in permit tcp host 24.77.191.242 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 24.77.191.242 any
access-list outside_in permit tcp host 67.69.16.168 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 67.69.16.168 any
0
 
Kevin_JAuthor Commented:
Thank You so much. Since I am testing the PPTP connectivity now I havent restrcited the access to any particular networks.

The testing is not successful . The PPTP clients cannot access the PPTP server (PIX). They r getting the

error 651.

Your modem (or other device) reported an error.

If this is a virtual private network (VPN) connection, you may have specified an incorrect TCP/IP address in the connection configuration, or the server that you are trying to reach may not be available. To determine if the server is available, see your system administrator.

I even configured a clinet here and tested it out and I am getting the same error, even if I enable PAP with no encryption at the client side.

Please help


0
 
lrmooreCommented:
Can you your complete PIX config? Be sure to remove any passwords, even the encrypted hash..

Do you have this?
   sysopt connection permit-pptp

>I even configured a clinet here and tested it out and I am getting the same error, even if I enable PAP with no encryption at the client side.
You can't do it from the inside anyway...
0
 
Kevin_JAuthor Commented:
I am testing my PPTP connection by setting a PPTP client on a different internet connection .

Right now with sysopt command its working properly. I can ping all the interfaces of the 3550 from the client . I cannot ping the outside or the inside interface of the PIX  from the client.

When I remove the sysopt command and give the access-lists its not working.I gave the access-list like u said and applied it to the outside interface with the access-group command.


0
 
lrmooreCommented:
keep the sysopt, and try this acl:
 
access-list outside_in permit tcp host 24.77.191.243 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 24.77.191.243  any
access-list outside_in permit tcp host 24.77.191.242 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 24.77.191.242 any
access-list outside_in permit tcp host 67.69.16.168 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 67.69.16.168 any
access-list outside_in deny tcp any any eq 1723

Then try from a client that is not one of these three and see if it works.
0
 
Kevin_JAuthor Commented:
I tried it. When the sysopt command is there and I give the access-list like u told, it accepts from any network. Its like the access-list has no effect since the sysopt is there.
0
 
lrmooreCommented:
That's what I was afraid of...
I have to ask--
When you tested with the sysopt turned off, you did test from one of those three IP's?

Let me put my thinking cap on for this one....at least you know it will work, so if they need access they have it. We just need a way to restrict who can access.
0
 
lrmooreCommented:
>sysopt command and give the access-lists its not working.
Let's define that. What part doesn't work? Does it establish the VPN, then just not allow access to anything?
If yes, we just need to add:
   access-list outside_in permit ip 192.168.11.0 255.255.255.0 any

 
0
 
Kevin_JAuthor Commented:
For a moment I thought it is working but it still work for all networks.It still allows all the networks , the only difference is that here it allows without a sysopt command
0
 
lrmooreCommented:
How about if you go ahead and post your complete current config?
0
 
Kevin_JAuthor Commented:
I have pasted the complete config below


PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname cpix0
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network Music3-galaxy
  network-object 10.249.24.17 255.255.255.255
  network-object 10.249.171.17 255.255.255.255
  network-object 10.249.171.18 255.255.255.255
object-group service tcp-ports tcp
  port-object eq www
  port-object eq ssh
  port-object eq ftp-data
  port-object eq ftp
  port-object range 999 999
object-group network Music3-galaxy_ref
  network-object 199.59.112.18 255.255.255.255
  network-object 199.59.112.19 255.255.255.255
  network-object 199.59.112.22 255.255.255.255
access-list outside permit tcp any object-group Music3-galaxy_ref object-group t
cp-ports
access-list outside permit ip 10.249.251.0 255.255.255.0 any
access-list outside permit tcp host 199.59.112.58 eq pptp host 199.59.112.15 eq
pptp
access-list outside permit gre host 199.59.112.58 any
access-list outside deny tcp any any eq pptp
access-list nat-zero permit ip any 10.249.251.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 199.59.112.15 255.255.255.0
ip address inside 192.168.248.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 10.249.251.10-10.249.251.100
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat-zero
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 199.59.112.254 1
route inside 10.0.0.0 255.0.0.0 192.168.248.254 1
route inside 192.168.249.0 255.255.255.0 192.168.248.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 10.249.250.6 timeout 5 protocol TCP ver
sion 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128 required
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username abc password *********
vpdn enable outside
terminal width 80














0
 
lrmooreCommented:
I think I get a bigger picture here...
This line has me concerned because your PPTP clients are also getting 10.249.251.10-10.249.251.100
   >route inside 10.0.0.0 255.0.0.0 192.168.248.254 1

Suggest using something else for the PPTP pool that will not get routed to another router.

Without the sysopt, it simply should not allow any other hosts to connect except the one in the acl..
Try saving the config and rebooting the PIX and trying again.

0
 
Kevin_JAuthor Commented:
Thanks for your advice on the PPTP pool IP address. I will look into it.

I rebooted the PIX today and still its connecting all hosts without the sysopt command.

Does it have anything to do with this access-list

access-list outside permit ip 10.249.251.0 255.255.255.0 any


I also wanted to ask how to allow 210.183.130.50 with subnet mask 255.255.255.248 to access the PPTP server.

0
 
lrmooreCommented:
>access-list outside permit ip 10.249.251.0 255.255.255.0 any
Without the sysopt commmand, this is absolutely necessary to accept traffic from the VPN client itself.

Can you post result of "show access-list"

0
 
Kevin_JAuthor Commented:

I am posting my access-lists below. Before that I need help on allowing 210.183.130.50 with subnet mask 255.255.255.248 to access the PPTP server as PPTP client



access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside; 19 elements
access-list outside line 1 permit tcp any object-group Music3-galaxy_ref object-
group tcp-ports
access-list outside line 1 permit tcp any host 199.59.112.18 eq www (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.18 eq ssh (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.18 eq ftp-data (hitcnt
=0)
access-list outside line 1 permit tcp any host 199.59.112.18 eq ftp (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.18 range 999 999 (hitc
nt=0)
access-list outside line 1 permit tcp any host 199.59.112.19 eq www (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.19 eq ssh (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.19 eq ftp-data (hitcnt
=0)
access-list outside line 1 permit tcp any host 199.59.112.19 eq ftp (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.19 range 999 999 (hitc
nt=0)
access-list outside line 1 permit tcp any host 199.59.112.22 eq www (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.22 eq ssh (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.22 eq ftp-data (hitcnt
=0)
access-list outside line 1 permit tcp any host 199.59.112.22 eq ftp (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.22 range 999 999 (hitc
nt=0)
access-list outside line 2 permit ip 10.249.251.0 255.255.255.0 any (hitcnt=0)
access-list outside line 3 permit tcp host 199.59.112.58 eq pptp host 199.59.112
.15 eq pptp (hitcnt=0)
access-list outside line 4 permit gre host 199.59.112.58 any (hitcnt=0)
access-list outside line 5 deny tcp any any eq pptp (hitcnt=0)
access-list nat-zero; 1 elements
access-list nat-zero line 1 permit ip any 10.249.251.0 255.255.255.0 (hitcnt=8)
0
 
Kevin_JAuthor Commented:
Hey lrmoore any suggestions. Please respond soon. I have to wind up this project by today.
0
 
Kevin_JAuthor Commented:
Hey I have a suggestion ,

If I give, access-list nat-zero permit ip (ip address of the pptp client) 10.249.251.0 255.255.255.0

will it restrict the access.

Please  respond soon
0
 
Kevin_JAuthor Commented:
Atleast write something, I am running short of time
0
 
lrmooreCommented:
Sorry. Been out in the woodworking shop all day. Building an entertainment center..

Changes to the nat 0 acl won't make any difference.

Why not just leave it with the sysopt command and only those with username/password will ever be able to log on anyway...
The only thing we can't get to work is restricting access to only those authorized IP's....
I think I've hit a brick wall here..

Else, if you have CCO account and SmartNet, you can open a TAC case with Cisco..

0
 
Kevin_JAuthor Commented:
Its running without the sysopt command at the moment. Should I give the sysopt command or should  I leave it the way it is. Which one is more secure ?
0
 
lrmooreCommented:
I think that the way you have it now is more secure without the sysopt...
0
 
Kevin_JAuthor Commented:
Thank You so much for  trying your best in all the questions I have asked.
I really appreciate it. God bless you !!!
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 16
  • 14
Tackle projects and never again get stuck behind a technical roadblock.
Join Now