Enable VPN pass-through PIX 501

Posted on 2004-11-18
Last Modified: 2010-03-18
Hi guys, I am looking to set up a VPN at work and am running into problems.  
I want to use PPTP.
I am using Small Business Server 2000 with Routing and Remote Access enabled.  
I want to connect via Windows built-in connection.
As it stands now I can connect to the VPN via one of our laptops if I use the internal IP addy of the server.  (doesnt pass through the PIX?) however if I specify our external public IP it gives me an error 678 unable to locate the server.  (the PIX is doing its job?)  
I need help guys and any questions I can answer I will!!
Question by:xfungalx
    LVL 3

    Expert Comment

    Do you have the PIX setup with access lists on the outside interface to allow port 1723 and gre into the network from the outside?  If you post your PIX config it may make this much easier.  Remember to blank out your outside IP addresses
    LVL 2

    Expert Comment

    its very simple go to PDM web based interface of PIX

    go to system properties click advanced and then you will find there somewhere pptp or 1723 just fixup pptp protocol.

    it should work

    LVL 2

    Expert Comment

    u can alternatively try using this command

    pixfirewall(config)#fixup protocol pptp 1723


    Author Comment

    I have since enabled the pptp protocol and now from home the error I am recieving is "The ppp control link was terminated" So I think I made it throught the firewall but now am having this issue.  If I change the protocol to a different one I will get the error "The server and client could not agree on a pptp protocol" or something like that.  
    I feel I am getting closer to the answer but not quite there.  I am going out of town later this week and really want to have it working for that.  Thanks for the help thus far guys :)

    : Saved
    : Written by enable_15 at 07:51:48.646 UTC Thu Nov 18 2004
    PIX Version 6.3(1)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password GbuXKeAslJqJMx9E encrypted
    passwd 92wBVddXfkuIooWF encrypted
    hostname pixfirewall
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    access-list allow-in permit icmp any any echo-reply
    access-list allow-in permit icmp any any time-exceeded
    access-list allow-in permit icmp any any source-quench
    access-list allow-in permit icmp any any unreachable
    access-list allow-in permit tcp any host eq www
    access-list allow-in permit tcp any host eq smtp
    access-list nonat permit ip
    pager lines 24
    logging on
    logging trap informational
    logging facility 19
    logging host inside 17/1514
    no logging message 106015
    no logging message 106023
    no logging message 305012
    no logging message 305011
    no logging message 302015
    no logging message 302014
    no logging message 302013
    no logging message 304001
    no logging message 609002
    no logging message 609001
    no logging message 302016
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool medi-stim
    pdm location inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0 0
    static (inside,outside) tcp smtp smtp netmask 0 0
    static (inside,outside) tcp www www netmask 0 0
    access-group allow-in in interface outside
    route outside 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol radius
    aaa-server partnerauth (inside) host WinRadius timeout 10
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside //bio1
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set rtptac esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set rtptac
    crypto map rtprules 20 ipsec-isakmp dynamic dynmap
    crypto map rtprules interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash md5
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 7200
    vpngroup vpn-in address-pool medi-stim
    vpngroup vpn-in dns-server
    vpngroup vpn-in idle-time 7200
    vpngroup vpn-in password 43he@rt!
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    vpnclient server
    vpnclient mode client-mode
    vpnclient vpngroup vpn-in password 43he@rt!
    terminal width 80
    : end


    Author Comment

    I am now able to connect in a sense.  If a remote user connects I can see them connected on the PIX but I cannot see them connected to the server.  They are given an IP addy that I specified for VPN'rs however they cannot see anything on the network, nor can they ping anything.  Why isnt the PIX pushing them through to the RAS.
    I can smell the cheeze at the end of the maze but I need some help getting to it.  Any help is greatly appreciated!  Thanks.
    LVL 3

    Accepted Solution

    Ok here's what I'm seeing.  You'll need access lists to allow in PPTP and GRE to get the VPN to pass through properly.  This link should give you all of the commands.

    Also since your statics are limited to SMTP and WWW you may have to make one that allows PPTP as well.  Try these out and let us know how it goes.
    LVL 2

    Expert Comment

    ok i will give you the exact steps in PDM the best and easiest way around

    open PDM goto CONFIGURATION then SYSTEM PROPERTIES then ADVANCED on the left and then FIXUP then PPTP try this this should solve the issue without using commands etc if your not comfortable with console

    Author Comment

    Thanks so much for all the help :)

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
    Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now