Solved

PPTP server configuration on PIX

Posted on 2004-10-26
724 Views
Last Modified: 2013-11-16
I need to configure my PIX firewall 525 as a PPTP server for four different VPN connections . Can someone help me with this on how to do it and what all details should I have from the four vendors to which the VPN connection will be made.
0
Question by:Kevin_J
    30 Comments
     
    LVL 79

    Expert Comment

    by:lrmoore
    Here's a good step-by-step
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

    Let me know if you get stuck or have a specific question on something.

    0
     

    Author Comment

    by:Kevin_J
    I did look up that page but its confusing.

    Fore example I have a vender that has 3 IP's to access the company network.

    24.77.191.243
    24.77.191.242
    67.69.16.168

    I do have one username for all.


    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp authentication pap


    Which auntentication should I use and  in which command I should give  the IP addresses of the vendors

    vpdn group 1 ppp encryption mppe 40|128|auto ==>Is it necessary to use this command and what bit
    should i use

    They have given access-lists in the configuration which I didnt follow.

    I am confused about how to configure the PPTP
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    OK, lets start with the basics:

    <=== assign a pool of IP addresses to be used by the clients (adjust as you need)
       ip local pool pptp-pool 192.168.11.1-192.168.11.50

    <=== create a nat_zero access-list to bypass nat for traffic to/from this client IP pool to your lan (192.168.100.0)
       access-list nat_zero permit ip 192.168.100.0 255.255.255.0 192.168.11.0 255.255.255.0
       nat (inside) 0 access-list nat_zero

    <== enable sysopt (we can replace this later with access-list restricting to only their IP addresses)
    sysopt connection permit-pptp

    vpdn group 1 accept dialin pptp <== required
    vpdn group 1 ppp authentication pap  <== won't hurt to set them all
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto  <== chose "auto"
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 client authentication local
    vpdn username cisco password cisco <== this will be the common username/password
    vpdn enable outside

    That's really all there is to it....

    You can use the nat_zero access-list to further refine the access that's granted the clients.
    0
     

    Author Comment

    by:Kevin_J
    Thank You. In my case there are 3 IP addresses for one vendor

    24.77.191.243
    24.77.191.242
    67.69.16.168

    So how will I give it in the pool
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Use a private IP range. This just gives the client an IP address out of a pool that only you can get to
    Once you get them working, then we'll restrict the access to just those three IP's.. right now, anyone could connect (assuming they know the outside IP of the PIX, and the username/password...)
    0
     

    Author Comment

    by:Kevin_J
    So should I let the vendors  know that my pool is 192.168.x.1-192.168.x.50 and they have to connect using this range. But I have a feeling they might not want to change their setting.So is there any way they can connect using their IP addresses itself
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    They don't have to change anything. They don't have to know. When they launch their client to connect, the client will be given an IP address out of this pool. That's just the way it works..
    0
     

    Author Comment

    by:Kevin_J
    Oh sorry I misunderstood the whole concept. Now its clear to me.

     I did discuss it with my boss and he said that for security reasons we should only assign the the IP addresses of the networks of the vendors to have VPN  access .Is there a command so that we can limit the VPN access only to the IP  addresses of the networks we want to connect to us.
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Yes. As I aluded to earlier, we can replace the global "sysopt permit-pptp" with access-lists, i.e.
    Something like this added to your exsisting access-list:

    access-list outside_in permit tcp host 24.77.191.243 eq 1723 host <outside interface ip> eq 1723
    access-list outside_in permit gre host 24.77.191.243  any
    access-list outside_in permit tcp host 24.77.191.242 eq 1723 host <outside interface ip> eq 1723
    access-list outside_in permit gre host 24.77.191.242 any
    access-list outside_in permit tcp host 67.69.16.168 eq 1723 host <outside interface ip> eq 1723
    access-list outside_in permit gre host 67.69.16.168 any
    0
     

    Author Comment

    by:Kevin_J
    Thank You so much. Since I am testing the PPTP connectivity now I havent restrcited the access to any particular networks.

    The testing is not successful . The PPTP clients cannot access the PPTP server (PIX). They r getting the

    error 651.

    Your modem (or other device) reported an error.

    If this is a virtual private network (VPN) connection, you may have specified an incorrect TCP/IP address in the connection configuration, or the server that you are trying to reach may not be available. To determine if the server is available, see your system administrator.

    I even configured a clinet here and tested it out and I am getting the same error, even if I enable PAP with no encryption at the client side.

    Please help


    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Can you your complete PIX config? Be sure to remove any passwords, even the encrypted hash..

    Do you have this?
       sysopt connection permit-pptp

    >I even configured a clinet here and tested it out and I am getting the same error, even if I enable PAP with no encryption at the client side.
    You can't do it from the inside anyway...
    0
     

    Author Comment

    by:Kevin_J
    I am testing my PPTP connection by setting a PPTP client on a different internet connection .

    Right now with sysopt command its working properly. I can ping all the interfaces of the 3550 from the client . I cannot ping the outside or the inside interface of the PIX  from the client.

    When I remove the sysopt command and give the access-lists its not working.I gave the access-list like u said and applied it to the outside interface with the access-group command.


    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    keep the sysopt, and try this acl:
     
    access-list outside_in permit tcp host 24.77.191.243 eq 1723 host <outside interface ip> eq 1723
    access-list outside_in permit gre host 24.77.191.243  any
    access-list outside_in permit tcp host 24.77.191.242 eq 1723 host <outside interface ip> eq 1723
    access-list outside_in permit gre host 24.77.191.242 any
    access-list outside_in permit tcp host 67.69.16.168 eq 1723 host <outside interface ip> eq 1723
    access-list outside_in permit gre host 67.69.16.168 any
    access-list outside_in deny tcp any any eq 1723

    Then try from a client that is not one of these three and see if it works.
    0
     

    Author Comment

    by:Kevin_J
    I tried it. When the sysopt command is there and I give the access-list like u told, it accepts from any network. Its like the access-list has no effect since the sysopt is there.
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    That's what I was afraid of...
    I have to ask--
    When you tested with the sysopt turned off, you did test from one of those three IP's?

    Let me put my thinking cap on for this one....at least you know it will work, so if they need access they have it. We just need a way to restrict who can access.
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    >sysopt command and give the access-lists its not working.
    Let's define that. What part doesn't work? Does it establish the VPN, then just not allow access to anything?
    If yes, we just need to add:
       access-list outside_in permit ip 192.168.11.0 255.255.255.0 any

     
    0
     

    Author Comment

    by:Kevin_J
    For a moment I thought it is working but it still work for all networks.It still allows all the networks , the only difference is that here it allows without a sysopt command
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    How about if you go ahead and post your complete current config?
    0
     

    Author Comment

    by:Kevin_J
    I have pasted the complete config below


    PIX Version 6.3(3)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname cpix0
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group network Music3-galaxy
      network-object 10.249.24.17 255.255.255.255
      network-object 10.249.171.17 255.255.255.255
      network-object 10.249.171.18 255.255.255.255
    object-group service tcp-ports tcp
      port-object eq www
      port-object eq ssh
      port-object eq ftp-data
      port-object eq ftp
      port-object range 999 999
    object-group network Music3-galaxy_ref
      network-object 199.59.112.18 255.255.255.255
      network-object 199.59.112.19 255.255.255.255
      network-object 199.59.112.22 255.255.255.255
    access-list outside permit tcp any object-group Music3-galaxy_ref object-group t
    cp-ports
    access-list outside permit ip 10.249.251.0 255.255.255.0 any
    access-list outside permit tcp host 199.59.112.58 eq pptp host 199.59.112.15 eq
    pptp
    access-list outside permit gre host 199.59.112.58 any
    access-list outside deny tcp any any eq pptp
    access-list nat-zero permit ip any 10.249.251.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 199.59.112.15 255.255.255.0
    ip address inside 192.168.248.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-pool 10.249.251.10-10.249.251.100
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nat-zero
    nat (inside) 1 10.0.0.0 255.0.0.0 0 0
    access-group outside in interface outside
    route outside 0.0.0.0 0.0.0.0 199.59.112.254 1
    route inside 10.0.0.0 255.0.0.0 192.168.248.254 1
    route inside 192.168.249.0 255.255.255.0 192.168.248.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    url-server (inside) vendor websense host 10.249.250.6 timeout 5 protocol TCP ver
    sion 1
    filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 128 required
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username abc password *********
    vpdn enable outside
    terminal width 80














    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    I think I get a bigger picture here...
    This line has me concerned because your PPTP clients are also getting 10.249.251.10-10.249.251.100
       >route inside 10.0.0.0 255.0.0.0 192.168.248.254 1

    Suggest using something else for the PPTP pool that will not get routed to another router.

    Without the sysopt, it simply should not allow any other hosts to connect except the one in the acl..
    Try saving the config and rebooting the PIX and trying again.

    0
     

    Author Comment

    by:Kevin_J
    Thanks for your advice on the PPTP pool IP address. I will look into it.

    I rebooted the PIX today and still its connecting all hosts without the sysopt command.

    Does it have anything to do with this access-list

    access-list outside permit ip 10.249.251.0 255.255.255.0 any


    I also wanted to ask how to allow 210.183.130.50 with subnet mask 255.255.255.248 to access the PPTP server.

    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    >access-list outside permit ip 10.249.251.0 255.255.255.0 any
    Without the sysopt commmand, this is absolutely necessary to accept traffic from the VPN client itself.

    Can you post result of "show access-list"

    0
     

    Author Comment

    by:Kevin_J

    I am posting my access-lists below. Before that I need help on allowing 210.183.130.50 with subnet mask 255.255.255.248 to access the PPTP server as PPTP client



    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
                alert-interval 300
    access-list outside; 19 elements
    access-list outside line 1 permit tcp any object-group Music3-galaxy_ref object-
    group tcp-ports
    access-list outside line 1 permit tcp any host 199.59.112.18 eq www (hitcnt=0)
    access-list outside line 1 permit tcp any host 199.59.112.18 eq ssh (hitcnt=0)
    access-list outside line 1 permit tcp any host 199.59.112.18 eq ftp-data (hitcnt
    =0)
    access-list outside line 1 permit tcp any host 199.59.112.18 eq ftp (hitcnt=0)
    access-list outside line 1 permit tcp any host 199.59.112.18 range 999 999 (hitc
    nt=0)
    access-list outside line 1 permit tcp any host 199.59.112.19 eq www (hitcnt=0)
    access-list outside line 1 permit tcp any host 199.59.112.19 eq ssh (hitcnt=0)
    access-list outside line 1 permit tcp any host 199.59.112.19 eq ftp-data (hitcnt
    =0)
    access-list outside line 1 permit tcp any host 199.59.112.19 eq ftp (hitcnt=0)
    access-list outside line 1 permit tcp any host 199.59.112.19 range 999 999 (hitc
    nt=0)
    access-list outside line 1 permit tcp any host 199.59.112.22 eq www (hitcnt=0)
    access-list outside line 1 permit tcp any host 199.59.112.22 eq ssh (hitcnt=0)
    access-list outside line 1 permit tcp any host 199.59.112.22 eq ftp-data (hitcnt
    =0)
    access-list outside line 1 permit tcp any host 199.59.112.22 eq ftp (hitcnt=0)
    access-list outside line 1 permit tcp any host 199.59.112.22 range 999 999 (hitc
    nt=0)
    access-list outside line 2 permit ip 10.249.251.0 255.255.255.0 any (hitcnt=0)
    access-list outside line 3 permit tcp host 199.59.112.58 eq pptp host 199.59.112
    .15 eq pptp (hitcnt=0)
    access-list outside line 4 permit gre host 199.59.112.58 any (hitcnt=0)
    access-list outside line 5 deny tcp any any eq pptp (hitcnt=0)
    access-list nat-zero; 1 elements
    access-list nat-zero line 1 permit ip any 10.249.251.0 255.255.255.0 (hitcnt=8)
    0
     

    Author Comment

    by:Kevin_J
    Hey lrmoore any suggestions. Please respond soon. I have to wind up this project by today.
    0
     

    Author Comment

    by:Kevin_J
    Hey I have a suggestion ,

    If I give, access-list nat-zero permit ip (ip address of the pptp client) 10.249.251.0 255.255.255.0

    will it restrict the access.

    Please  respond soon
    0
     

    Author Comment

    by:Kevin_J
    Atleast write something, I am running short of time
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Sorry. Been out in the woodworking shop all day. Building an entertainment center..

    Changes to the nat 0 acl won't make any difference.

    Why not just leave it with the sysopt command and only those with username/password will ever be able to log on anyway...
    The only thing we can't get to work is restricting access to only those authorized IP's....
    I think I've hit a brick wall here..

    Else, if you have CCO account and SmartNet, you can open a TAC case with Cisco..

    0
     

    Author Comment

    by:Kevin_J
    Its running without the sysopt command at the moment. Should I give the sysopt command or should  I leave it the way it is. Which one is more secure ?
    0
     
    LVL 79

    Accepted Solution

    by:
    I think that the way you have it now is more secure without the sysopt...
    0
     

    Author Comment

    by:Kevin_J
    Thank You so much for  trying your best in all the questions I have asked.
    I really appreciate it. God bless you !!!
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    860 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now