Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PPTP server configuration on PIX

Posted on 2004-10-26
30
Medium Priority
?
804 Views
Last Modified: 2013-11-16
I need to configure my PIX firewall 525 as a PPTP server for four different VPN connections . Can someone help me with this on how to do it and what all details should I have from the four vendors to which the VPN connection will be made.
0
Comment
Question by:Kevin_J
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 14
30 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12421047
Here's a good step-by-step
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

Let me know if you get stuck or have a specific question on something.

0
 

Author Comment

by:Kevin_J
ID: 12428032
I did look up that page but its confusing.

Fore example I have a vender that has 3 IP's to access the company network.

24.77.191.243
24.77.191.242
67.69.16.168

I do have one username for all.


vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp authentication pap


Which auntentication should I use and  in which command I should give  the IP addresses of the vendors

vpdn group 1 ppp encryption mppe 40|128|auto ==>Is it necessary to use this command and what bit
should i use

They have given access-lists in the configuration which I didnt follow.

I am confused about how to configure the PPTP
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12428112
OK, lets start with the basics:

<=== assign a pool of IP addresses to be used by the clients (adjust as you need)
   ip local pool pptp-pool 192.168.11.1-192.168.11.50

<=== create a nat_zero access-list to bypass nat for traffic to/from this client IP pool to your lan (192.168.100.0)
   access-list nat_zero permit ip 192.168.100.0 255.255.255.0 192.168.11.0 255.255.255.0
   nat (inside) 0 access-list nat_zero

<== enable sysopt (we can replace this later with access-list restricting to only their IP addresses)
sysopt connection permit-pptp

vpdn group 1 accept dialin pptp <== required
vpdn group 1 ppp authentication pap  <== won't hurt to set them all
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto  <== chose "auto"
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication local
vpdn username cisco password cisco <== this will be the common username/password
vpdn enable outside

That's really all there is to it....

You can use the nat_zero access-list to further refine the access that's granted the clients.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:Kevin_J
ID: 12428244
Thank You. In my case there are 3 IP addresses for one vendor

24.77.191.243
24.77.191.242
67.69.16.168

So how will I give it in the pool
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12428312
Use a private IP range. This just gives the client an IP address out of a pool that only you can get to
Once you get them working, then we'll restrict the access to just those three IP's.. right now, anyone could connect (assuming they know the outside IP of the PIX, and the username/password...)
0
 

Author Comment

by:Kevin_J
ID: 12428518
So should I let the vendors  know that my pool is 192.168.x.1-192.168.x.50 and they have to connect using this range. But I have a feeling they might not want to change their setting.So is there any way they can connect using their IP addresses itself
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12428538
They don't have to change anything. They don't have to know. When they launch their client to connect, the client will be given an IP address out of this pool. That's just the way it works..
0
 

Author Comment

by:Kevin_J
ID: 12430790
Oh sorry I misunderstood the whole concept. Now its clear to me.

 I did discuss it with my boss and he said that for security reasons we should only assign the the IP addresses of the networks of the vendors to have VPN  access .Is there a command so that we can limit the VPN access only to the IP  addresses of the networks we want to connect to us.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12432787
Yes. As I aluded to earlier, we can replace the global "sysopt permit-pptp" with access-lists, i.e.
Something like this added to your exsisting access-list:

access-list outside_in permit tcp host 24.77.191.243 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 24.77.191.243  any
access-list outside_in permit tcp host 24.77.191.242 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 24.77.191.242 any
access-list outside_in permit tcp host 67.69.16.168 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 67.69.16.168 any
0
 

Author Comment

by:Kevin_J
ID: 12448980
Thank You so much. Since I am testing the PPTP connectivity now I havent restrcited the access to any particular networks.

The testing is not successful . The PPTP clients cannot access the PPTP server (PIX). They r getting the

error 651.

Your modem (or other device) reported an error.

If this is a virtual private network (VPN) connection, you may have specified an incorrect TCP/IP address in the connection configuration, or the server that you are trying to reach may not be available. To determine if the server is available, see your system administrator.

I even configured a clinet here and tested it out and I am getting the same error, even if I enable PAP with no encryption at the client side.

Please help


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12450264
Can you your complete PIX config? Be sure to remove any passwords, even the encrypted hash..

Do you have this?
   sysopt connection permit-pptp

>I even configured a clinet here and tested it out and I am getting the same error, even if I enable PAP with no encryption at the client side.
You can't do it from the inside anyway...
0
 

Author Comment

by:Kevin_J
ID: 12466492
I am testing my PPTP connection by setting a PPTP client on a different internet connection .

Right now with sysopt command its working properly. I can ping all the interfaces of the 3550 from the client . I cannot ping the outside or the inside interface of the PIX  from the client.

When I remove the sysopt command and give the access-lists its not working.I gave the access-list like u said and applied it to the outside interface with the access-group command.


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12466531
keep the sysopt, and try this acl:
 
access-list outside_in permit tcp host 24.77.191.243 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 24.77.191.243  any
access-list outside_in permit tcp host 24.77.191.242 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 24.77.191.242 any
access-list outside_in permit tcp host 67.69.16.168 eq 1723 host <outside interface ip> eq 1723
access-list outside_in permit gre host 67.69.16.168 any
access-list outside_in deny tcp any any eq 1723

Then try from a client that is not one of these three and see if it works.
0
 

Author Comment

by:Kevin_J
ID: 12467163
I tried it. When the sysopt command is there and I give the access-list like u told, it accepts from any network. Its like the access-list has no effect since the sysopt is there.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12467315
That's what I was afraid of...
I have to ask--
When you tested with the sysopt turned off, you did test from one of those three IP's?

Let me put my thinking cap on for this one....at least you know it will work, so if they need access they have it. We just need a way to restrict who can access.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12467352
>sysopt command and give the access-lists its not working.
Let's define that. What part doesn't work? Does it establish the VPN, then just not allow access to anything?
If yes, we just need to add:
   access-list outside_in permit ip 192.168.11.0 255.255.255.0 any

 
0
 

Author Comment

by:Kevin_J
ID: 12468804
For a moment I thought it is working but it still work for all networks.It still allows all the networks , the only difference is that here it allows without a sysopt command
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12468827
How about if you go ahead and post your complete current config?
0
 

Author Comment

by:Kevin_J
ID: 12468919
I have pasted the complete config below


PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname cpix0
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network Music3-galaxy
  network-object 10.249.24.17 255.255.255.255
  network-object 10.249.171.17 255.255.255.255
  network-object 10.249.171.18 255.255.255.255
object-group service tcp-ports tcp
  port-object eq www
  port-object eq ssh
  port-object eq ftp-data
  port-object eq ftp
  port-object range 999 999
object-group network Music3-galaxy_ref
  network-object 199.59.112.18 255.255.255.255
  network-object 199.59.112.19 255.255.255.255
  network-object 199.59.112.22 255.255.255.255
access-list outside permit tcp any object-group Music3-galaxy_ref object-group t
cp-ports
access-list outside permit ip 10.249.251.0 255.255.255.0 any
access-list outside permit tcp host 199.59.112.58 eq pptp host 199.59.112.15 eq
pptp
access-list outside permit gre host 199.59.112.58 any
access-list outside deny tcp any any eq pptp
access-list nat-zero permit ip any 10.249.251.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 199.59.112.15 255.255.255.0
ip address inside 192.168.248.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 10.249.251.10-10.249.251.100
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat-zero
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 199.59.112.254 1
route inside 10.0.0.0 255.0.0.0 192.168.248.254 1
route inside 192.168.249.0 255.255.255.0 192.168.248.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 10.249.250.6 timeout 5 protocol TCP ver
sion 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128 required
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username abc password *********
vpdn enable outside
terminal width 80














0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12469000
I think I get a bigger picture here...
This line has me concerned because your PPTP clients are also getting 10.249.251.10-10.249.251.100
   >route inside 10.0.0.0 255.0.0.0 192.168.248.254 1

Suggest using something else for the PPTP pool that will not get routed to another router.

Without the sysopt, it simply should not allow any other hosts to connect except the one in the acl..
Try saving the config and rebooting the PIX and trying again.

0
 

Author Comment

by:Kevin_J
ID: 12476710
Thanks for your advice on the PPTP pool IP address. I will look into it.

I rebooted the PIX today and still its connecting all hosts without the sysopt command.

Does it have anything to do with this access-list

access-list outside permit ip 10.249.251.0 255.255.255.0 any


I also wanted to ask how to allow 210.183.130.50 with subnet mask 255.255.255.248 to access the PPTP server.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12476930
>access-list outside permit ip 10.249.251.0 255.255.255.0 any
Without the sysopt commmand, this is absolutely necessary to accept traffic from the VPN client itself.

Can you post result of "show access-list"

0
 

Author Comment

by:Kevin_J
ID: 12485860

I am posting my access-lists below. Before that I need help on allowing 210.183.130.50 with subnet mask 255.255.255.248 to access the PPTP server as PPTP client



access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside; 19 elements
access-list outside line 1 permit tcp any object-group Music3-galaxy_ref object-
group tcp-ports
access-list outside line 1 permit tcp any host 199.59.112.18 eq www (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.18 eq ssh (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.18 eq ftp-data (hitcnt
=0)
access-list outside line 1 permit tcp any host 199.59.112.18 eq ftp (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.18 range 999 999 (hitc
nt=0)
access-list outside line 1 permit tcp any host 199.59.112.19 eq www (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.19 eq ssh (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.19 eq ftp-data (hitcnt
=0)
access-list outside line 1 permit tcp any host 199.59.112.19 eq ftp (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.19 range 999 999 (hitc
nt=0)
access-list outside line 1 permit tcp any host 199.59.112.22 eq www (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.22 eq ssh (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.22 eq ftp-data (hitcnt
=0)
access-list outside line 1 permit tcp any host 199.59.112.22 eq ftp (hitcnt=0)
access-list outside line 1 permit tcp any host 199.59.112.22 range 999 999 (hitc
nt=0)
access-list outside line 2 permit ip 10.249.251.0 255.255.255.0 any (hitcnt=0)
access-list outside line 3 permit tcp host 199.59.112.58 eq pptp host 199.59.112
.15 eq pptp (hitcnt=0)
access-list outside line 4 permit gre host 199.59.112.58 any (hitcnt=0)
access-list outside line 5 deny tcp any any eq pptp (hitcnt=0)
access-list nat-zero; 1 elements
access-list nat-zero line 1 permit ip any 10.249.251.0 255.255.255.0 (hitcnt=8)
0
 

Author Comment

by:Kevin_J
ID: 12506777
Hey lrmoore any suggestions. Please respond soon. I have to wind up this project by today.
0
 

Author Comment

by:Kevin_J
ID: 12508562
Hey I have a suggestion ,

If I give, access-list nat-zero permit ip (ip address of the pptp client) 10.249.251.0 255.255.255.0

will it restrict the access.

Please  respond soon
0
 

Author Comment

by:Kevin_J
ID: 12509981
Atleast write something, I am running short of time
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12510050
Sorry. Been out in the woodworking shop all day. Building an entertainment center..

Changes to the nat 0 acl won't make any difference.

Why not just leave it with the sysopt command and only those with username/password will ever be able to log on anyway...
The only thing we can't get to work is restricting access to only those authorized IP's....
I think I've hit a brick wall here..

Else, if you have CCO account and SmartNet, you can open a TAC case with Cisco..

0
 

Author Comment

by:Kevin_J
ID: 12510089
Its running without the sysopt command at the moment. Should I give the sysopt command or should  I leave it the way it is. Which one is more secure ?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12510176
I think that the way you have it now is more secure without the sysopt...
0
 

Author Comment

by:Kevin_J
ID: 12571299
Thank You so much for  trying your best in all the questions I have asked.
I really appreciate it. God bless you !!!
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question