VPN Error 721 with PIX Firewall

Hi All,

Trying hard to fix this problem. No Luck. We have this VPN Server (Windows 2000 Server with SP4) in our Main office. All the branch offices connect to this VPN Server using windows XP / Windows 2K VPN (PPTP). All of the offices can connect to this Server except one. This office is behind a PIX Firewall and I have tried configuring this PIX Firewall in all the ways I can. I still get this Error. When I try to dial to the VPN Server, I see "Verifying User Name and Password" box and then after 20 seconds, it says "The remote computer did not respond". I have given the network diagram below:

Branch office ----> PIX -----> DSL Modem -----> Internet ----> Cisco Router ----> PIX -----> Main office with VPN Server
(192.168.1.0)

When I connect to the Internet using a dial-up connection and then connect to VPN, everything works fine. I have given below the PIX Configuration of the Branch office:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname cisco
domain-name aaaaaa.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.0 aaaaaa.my
name 192.168.0.0 aaaaaa.sg
access-list inside_outbound_nat0_acl permit ip aaaaaa.my 255.255.255.0 aaaaaa.sg 255.255.255.0
access-list inside_outbound_nat0_acl permit ip aaaaaa.my 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip aaaaaa.my 255.255.255.0 aaaaaa.sg 255.255.255.0
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any echo
access-list inside_access_in permit gre any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any eq pptp any
access-list outside_access_in permit gre any any
access-list outside_access_in permit udp any eq isakmp any
access-list outside_access_in permit udp any eq bootpc any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xx.xx.74 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool aaaaaa 192.168.3.100-192.168.3.200
pdm location 192.168.1.45 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location aaaaaa.my 255.255.255.255 inside
pdm location aaaaaa.sg 255.255.255.0 outside
pdm location 192.28.0.45 255.255.255.255 inside
pdm location 192.28.0.0 255.255.255.0 inside
pdm location 192.168.1.201 255.255.255.255 inside
pdm location 192.168.1.200 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 219.94.51.75
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 aaaaaa.my 255.255.255.255 0 0
nat (inside) 1 aaaaaa.my 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xx.xx.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.45 255.255.255.255 inside
http 192.168.1.200 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup aaaaaakl address-pool aaaaaa
vpngroup aaaaaakl dns-server xxx.xxx.x.xxx xxx.xxx.x.xxx
vpngroup aaaaaakl idle-time 1800
vpngroup aaaaaakl password ********
telnet 192.168.1.200 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns xxx.xxx.x.xxx xxx.xxx.x.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain resource
dhcpd auto_config outside
dhcpd enable inside
   

Here, you can see some configurations related to Cisco VPN. We used to do the Cisco VPN thing previously. Now, we don't use it anymore. We are trying to use just the windows VPN. I need to fix this problem ASAP. Please help!
consistelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

blin2000Commented:
this may help. quoted from http://www.chicagotech.net

Can't connect to a VPN server on the outside of the PIX

.Symptom: When attempting to connect to a VPN server on the outside of the PIX it returns error 721, the computer failed to respond.

Resolution: In order to PPTP through a PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723. For example, for pptp add this: conduit permit gre host x.x.x.x any AND conduit permit tcp host x.x.x.x eq 1723. For l2tp over ipsec: conduit permit esp host x.x.x.x any, conduit permit udp host x.x.x.x eq 1701 any AND conduit permit udp host x.x.x.x eq 500 any.

0
lrmooreCommented:
Three suggestions:
1) remove the access-list from the inside interface
   no access-group inside_access_in in interface inside
Since your access-list permits everything anyway, it is redundant to the default behavior and is therefore not needed at all

2) upgrade from 6.3(1) to 6.3(3) or 6.3(4)

3) then you can enable PPTP fixup (it's broken in 6.3(1))
    fixup protocol pptp 1723
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikeleebrlaCommented:
blin2000 is on the right track but conduits shouldn't be used,, you can go ahead and use access lists like you have setup  already  

it should read

access-list outside_access_in permit gre any host outisde_IP_of_ your_VPN_server_here
access-list outside_access_in permit tcp any host outisde_IP_of_ your_VPN_server_here eq 1723
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

lrmooreCommented:
If you pay close attention to blin2000's posted quote from Cisco documentation you will see that you *must* have a 1-1 nat mapping. Note also in the posted config that this PIX is using PAT with only one global IP address.
So, without the 1-1 NAT capabilities, adding the access-list or conduit entries does no good.
The only solution using PAT is the "fixup protocol pptp 1723"

Alternatively, they would need more public IP addresses (cost $?) to be able to provide 1-1 NAT for each user that needs to connect via PPTP VPN.

Adding the fixup is a no-cost, no-hassle solution.
0
mikeleebrlaCommented:
lrmoore,,, can the fixup let GRE through?  I'm not sure.

the answer i posted was if he was using NAT with a 1 to 1 like you mentioned

0
lrmooreCommented:
Yes, the fixup specifically allows the GRE response
"When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. "

Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1080708
0
consistelAuthor Commented:
Lrmoore,

Your suggestion worked as a gem! I removed the access list that you have mentioned and added fixup protocol for pptp and it was right working. You people are really great. I'm very happy that networking world has good assests and resoources like you people. Thanks everyone for your efforts.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.