consistel
asked on
VPN Error 721 with PIX Firewall
Hi All,
Trying hard to fix this problem. No Luck. We have this VPN Server (Windows 2000 Server with SP4) in our Main office. All the branch offices connect to this VPN Server using windows XP / Windows 2K VPN (PPTP). All of the offices can connect to this Server except one. This office is behind a PIX Firewall and I have tried configuring this PIX Firewall in all the ways I can. I still get this Error. When I try to dial to the VPN Server, I see "Verifying User Name and Password" box and then after 20 seconds, it says "The remote computer did not respond". I have given the network diagram below:
Branch office ----> PIX -----> DSL Modem -----> Internet ----> Cisco Router ----> PIX -----> Main office with VPN Server
(192.168.1.0)
When I connect to the Internet using a dial-up connection and then connect to VPN, everything works fine. I have given below the PIX Configuration of the Branch office:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname cisco
domain-name aaaaaa.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.0 aaaaaa.my
name 192.168.0.0 aaaaaa.sg
access-list inside_outbound_nat0_acl permit ip aaaaaa.my 255.255.255.0 aaaaaa.sg 255.255.255.0
access-list inside_outbound_nat0_acl permit ip aaaaaa.my 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip aaaaaa.my 255.255.255.0 aaaaaa.sg 255.255.255.0
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any echo
access-list inside_access_in permit gre any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any eq pptp any
access-list outside_access_in permit gre any any
access-list outside_access_in permit udp any eq isakmp any
access-list outside_access_in permit udp any eq bootpc any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xx.xx.74 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool aaaaaa 192.168.3.100-192.168.3.20
pdm location 192.168.1.45 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location aaaaaa.my 255.255.255.255 inside
pdm location aaaaaa.sg 255.255.255.0 outside
pdm location 192.28.0.45 255.255.255.255 inside
pdm location 192.28.0.0 255.255.255.0 inside
pdm location 192.168.1.201 255.255.255.255 inside
pdm location 192.168.1.200 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 219.94.51.75
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 aaaaaa.my 255.255.255.255 0 0
nat (inside) 1 aaaaaa.my 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xx.xx.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.45 255.255.255.255 inside
http 192.168.1.200 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup aaaaaakl address-pool aaaaaa
vpngroup aaaaaakl dns-server xxx.xxx.x.xxx xxx.xxx.x.xxx
vpngroup aaaaaakl idle-time 1800
vpngroup aaaaaakl password ********
telnet 192.168.1.200 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.20
dhcpd dns xxx.xxx.x.xxx xxx.xxx.x.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain resource
dhcpd auto_config outside
dhcpd enable inside
Here, you can see some configurations related to Cisco VPN. We used to do the Cisco VPN thing previously. Now, we don't use it anymore. We are trying to use just the windows VPN. I need to fix this problem ASAP. Please help!
Trying hard to fix this problem. No Luck. We have this VPN Server (Windows 2000 Server with SP4) in our Main office. All the branch offices connect to this VPN Server using windows XP / Windows 2K VPN (PPTP). All of the offices can connect to this Server except one. This office is behind a PIX Firewall and I have tried configuring this PIX Firewall in all the ways I can. I still get this Error. When I try to dial to the VPN Server, I see "Verifying User Name and Password" box and then after 20 seconds, it says "The remote computer did not respond". I have given the network diagram below:
Branch office ----> PIX -----> DSL Modem -----> Internet ----> Cisco Router ----> PIX -----> Main office with VPN Server
(192.168.1.0)
When I connect to the Internet using a dial-up connection and then connect to VPN, everything works fine. I have given below the PIX Configuration of the Branch office:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname cisco
domain-name aaaaaa.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.0 aaaaaa.my
name 192.168.0.0 aaaaaa.sg
access-list inside_outbound_nat0_acl permit ip aaaaaa.my 255.255.255.0 aaaaaa.sg 255.255.255.0
access-list inside_outbound_nat0_acl permit ip aaaaaa.my 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip aaaaaa.my 255.255.255.0 aaaaaa.sg 255.255.255.0
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any echo
access-list inside_access_in permit gre any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any eq pptp any
access-list outside_access_in permit gre any any
access-list outside_access_in permit udp any eq isakmp any
access-list outside_access_in permit udp any eq bootpc any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xx.xx.74 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool aaaaaa 192.168.3.100-192.168.3.20
pdm location 192.168.1.45 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location aaaaaa.my 255.255.255.255 inside
pdm location aaaaaa.sg 255.255.255.0 outside
pdm location 192.28.0.45 255.255.255.255 inside
pdm location 192.28.0.0 255.255.255.0 inside
pdm location 192.168.1.201 255.255.255.255 inside
pdm location 192.168.1.200 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 219.94.51.75
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 aaaaaa.my 255.255.255.255 0 0
nat (inside) 1 aaaaaa.my 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xx.xx.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.45 255.255.255.255 inside
http 192.168.1.200 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup aaaaaakl address-pool aaaaaa
vpngroup aaaaaakl dns-server xxx.xxx.x.xxx xxx.xxx.x.xxx
vpngroup aaaaaakl idle-time 1800
vpngroup aaaaaakl password ********
telnet 192.168.1.200 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.20
dhcpd dns xxx.xxx.x.xxx xxx.xxx.x.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain resource
dhcpd auto_config outside
dhcpd enable inside
Here, you can see some configurations related to Cisco VPN. We used to do the Cisco VPN thing previously. Now, we don't use it anymore. We are trying to use just the windows VPN. I need to fix this problem ASAP. Please help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
blin2000 is on the right track but conduits shouldn't be used,, you can go ahead and use access lists like you have setup already
it should read
access-list outside_access_in permit gre any host outisde_IP_of_ your_VPN_server_here
access-list outside_access_in permit tcp any host outisde_IP_of_ your_VPN_server_here eq 1723
it should read
access-list outside_access_in permit gre any host outisde_IP_of_ your_VPN_server_here
access-list outside_access_in permit tcp any host outisde_IP_of_ your_VPN_server_here eq 1723
If you pay close attention to blin2000's posted quote from Cisco documentation you will see that you *must* have a 1-1 nat mapping. Note also in the posted config that this PIX is using PAT with only one global IP address.
So, without the 1-1 NAT capabilities, adding the access-list or conduit entries does no good.
The only solution using PAT is the "fixup protocol pptp 1723"
Alternatively, they would need more public IP addresses (cost $?) to be able to provide 1-1 NAT for each user that needs to connect via PPTP VPN.
Adding the fixup is a no-cost, no-hassle solution.
So, without the 1-1 NAT capabilities, adding the access-list or conduit entries does no good.
The only solution using PAT is the "fixup protocol pptp 1723"
Alternatively, they would need more public IP addresses (cost $?) to be able to provide 1-1 NAT for each user that needs to connect via PPTP VPN.
Adding the fixup is a no-cost, no-hassle solution.
lrmoore,,, can the fixup let GRE through? I'm not sure.
the answer i posted was if he was using NAT with a 1 to 1 like you mentioned
the answer i posted was if he was using NAT with a 1 to 1 like you mentioned
Yes, the fixup specifically allows the GRE response
"When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. "
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1080708
"When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. "
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1080708
ASKER
Lrmoore,
Your suggestion worked as a gem! I removed the access list that you have mentioned and added fixup protocol for pptp and it was right working. You people are really great. I'm very happy that networking world has good assests and resoources like you people. Thanks everyone for your efforts.
Your suggestion worked as a gem! I removed the access list that you have mentioned and added fixup protocol for pptp and it was right working. You people are really great. I'm very happy that networking world has good assests and resoources like you people. Thanks everyone for your efforts.
Can't connect to a VPN server on the outside of the PIX
.Symptom: When attempting to connect to a VPN server on the outside of the PIX it returns error 721, the computer failed to respond.
Resolution: In order to PPTP through a PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723. For example, for pptp add this: conduit permit gre host x.x.x.x any AND conduit permit tcp host x.x.x.x eq 1723. For l2tp over ipsec: conduit permit esp host x.x.x.x any, conduit permit udp host x.x.x.x eq 1701 any AND conduit permit udp host x.x.x.x eq 500 any.