Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 643
  • Last Modified:

PIX 501 PPTP VPN Config

Would someone mind checking over my config?  I can't seem to get a PPTP VPN session running.  This is my home/test PIX and I'm trying to connect from work.  Here's what I've got:

6.3(3)
nat (inside) 0 access-list 109
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 109 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit tcp any any eq pptp
access-list outside_access_in permit gre any any
vpdn group VPN-PPTP accept dialin pptp
vpdn group VPN-PPTP ppp authentication mschap
vpdn group VPN-PPTP ppp encryption mppe auto
vpdn group VPN-PPTP client configuration address local IPPOOL
vpdn group VPN-PPTP client configuration dns Morpheus Mail
vpdn group VPN-PPTP pptp echo 120
vpdn group VPN-PPTP client authentication local
vpdn username cspence password *********
vpdn enable outside

I get a 721 'no response from remote server'.  You can find a jpg of a an Ethereal capture I ran from my work PC while trying to connect here:  http://matrix-domain.net/capture.jpg

Thanks everyone!

Cory
0
cory_spence
Asked:
cory_spence
  • 6
  • 4
  • 2
1 Solution
 
minmeiCommented:
Try adding:

vpdn group VPN-PPTP ppp authentication pap
vpdn group VPN-PPTP ppp authentication chap

0
 
minmeiCommented:
Forget that.  Is your work allowing GRE and PPTP (TCP 1723) outbound and back in (more important)?
0
 
cory_spenceAuthor Commented:
Should be.  I'm in a NAT pool on a PIX 525 here at work, so it should be statefully opening GRE and PPTP to come back in when I initially send the traffic out.  Do I specifically need a conduit on my work PIX to permit GRE traffic from any host?

C
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
minmeiCommented:
Yes. The GRE traffic can start on the outside, requiring the conduit/ACL, whichever you are using.

access-list outside_int permit gre host <homeserver> host <static translation for PC>

static (inide,outside) <outsideaddr> <insideaddr of pc> netmask 255.255.255.255 0 0

If your pix is 6.3 or later, just add

fixup protocol pptp 1723

See this link: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml
0
 
cory_spenceAuthor Commented:
We're running an old version at work with conduits.  Entered 'conduit permit gre any any' and it still couldn't connect.

Any ideas?

C
0
 
nodiscoCommented:
Cory

Add
sysopt connection permit-pptp

i take it you have the vpdn pool IPPOOL configured?  Its just that you didn't post it in your config

ip local pool IPPOOL x.x.x.x-y.y.y.y

cheers

Steve


0
 
cory_spenceAuthor Commented:
Sorry, I actually do have both those in my config.  Just forgot to post it.

Thanks though!

C
0
 
minmeiCommented:
What about the static translation? If you are runnign an old version of PIX software, you neeed to have a one-to-one translation for your pc. No Port-address-translation.

You need to have the below:

static (inside,outside) <outsideaddr> <insideaddr of pc> netmask 255.255.255.255 0 0

to make this work, unles you are running 6.3 or greater.

Just having your pc translated at the port level with a global command won't work.
0
 
nodiscoCommented:
What specific error are you getting when trying to connect?

I noticed in your packet capture that your problems are at LCP level.  This could well be authentication - can you try using pap as the auth and configuring your pptp connection accordingly.  This will at least help to isolate where the problem is occurring

0
 
minmeiCommented:
good call - if I remember correctly PIX (old) only worked with pap ppp authentication, thus my first post.
0
 
cory_spenceAuthor Commented:
Sorry for the delay - been pretty busy.

I ran the connection from a laptop using dial-up and was able to connect.  Must be something with the work PIX.  Not too concerned with that at the moment.

However, on the laptop, I can't do anything when the PPTP VPN connection is up.  I'm assigned an address from my pool, and I'm getting the DNS server I configured, but no pings to my internal home network and no Internet.

Does the PIX pool of addresses have to be on a different subnet to work - seems like I read this somewhere?  Currently the inside interface of my 501 lies in the 192.168.1.x network, which is the same network I'm handing out addresses from in my pool.

Thanks,
C
0
 
minmeiCommented:
That would be a problem. Change the range.

You also have to specify to _not_ NAT packets from the inside to the external range you give out.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 6
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now