[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2058
  • Last Modified:

PIX and L2TP/IPSEC thru

Hi,

Want to clients to connect to a vpn server behind my pix


Have open ports UDP 1701 ( L2TP ), 4500, 500 and protocol 50,51.   But i dont get any contact with the server.
I have configure a static command to this...

Is there anymore ports needed to be opened?
0
martyboy
Asked:
martyboy
  • 6
  • 4
  • 2
1 Solution
 
lrmooreCommented:
What kind of VPN server? Microsoft PPTP? IPSEC?
0
 
martyboyAuthor Commented:
Its a mac OS X server. Want to use L2TP/ipsec clients to the server. The ms and macos X built-in clients
0
 
lrmooreCommented:
Maybe silly question, but why not use the IPSEC capabilities of the PIX itself to act as the server instead of passing it through to another server?

If you'll post your complete pix config, I'll take a look at it..
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Ron MalmsteadInformation Services ManagerCommented:
Like this:
static (inside,outside) udp 199.34.22.66 1701 192.168.0.3 1701 netmask 255.255.255.255
or
static (inside,outside) any any #internalIPAdress# netmask 255.255.255.255


For you:
static (inside,outside) udp #externalIPAddress# 1701 #internalIPAdress# 1701 netmask 255.255.255.255
static (inside,outside) udp #externalIPAddress# 51 #internalIPAdress# 51 netmask 255.255.255.255
static (inside,outside) udp #externalIPAddress# 50 #internalIPAdress# 50 netmask 255.255.255.255
static (inside,outside) udp #externalIPAddress# 500 #internalIPAdress# 500 netmask 255.255.255.255




Good luck.
0
 
Ron MalmsteadInformation Services ManagerCommented:
It's not just a matter of just opening ports...you have to forward traffic from outside interface to the host inside.
0
 
martyboyAuthor Commented:
Well as i stated in my first post i have configured the statics to the inside server.

Lrmoore. The reason i have to use the X server is that the clients doesnt work on apples latest release. Before i used
the pix vpn capabilities.  They dont have any single pc in there company.

0
 
martyboyAuthor Commented:
Btw xuserx2000.

Protocol 50 and 51 is not udp but esp and ah. So that static  should not work.

 Here is my config. Both the pptp and ipsec works great when connecting to the pix

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password j7KeWTlP3Fnf7WgC encrypted
passwd QxZoWQCLmTQGzlVk encrypted
hostname
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol pptp 34827
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out permit tcp any host x.x.x.x eq smtp
access-list acl_out permit tcp any host x.x.x.x eq https
access-list acl_out permit tcp y.y.y.y 255.255.255.0 host x.x.x.x
access-list acl_out permit udp any host L2TP eq 4500
access-list acl_out permit esp any host L2TP
access-list acl_out permit udp any host L2TP eq 1701
access-list acl_out permit ah any host L2TP
access-list nonat permit ip 192.168.12.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list acl_inside deny tcp any any range 3127 3198
access-list acl_inside deny udp any any eq tftp
access-list acl_inside deny tcp any any eq 135
access-list acl_inside deny udp any any eq 135
access-list acl_inside deny tcp any any eq 137
access-list acl_inside deny tcp any any eq pop3
access-list acl_inside deny udp any any eq netbios-ns
access-list acl_inside deny tcp any any eq 138
access-list acl_inside deny udp any any eq netbios-dgm
access-list acl_inside deny tcp any any eq netbios-ssn
access-list acl_inside deny udp any any eq 139
access-list acl_inside deny tcp any any eq 445
access-list acl_inside deny tcp any any eq 593
access-list acl_inside deny tcp any any eq 4444
access-list acl_inside deny tcp any any eq 6346
access-list acl_inside deny udp any any eq 6346
access-list acl_inside permit ip any any
ip address outside x.x.x.x 255.255.255.0
ip address inside 192.168.12.1 255.255.255.0
ip audit name attackpolicy attack action alarm reset
ip audit name attackpolicy1 attack action alarm reset
ip audit interface outside attackpolicy
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.10-192.168.2.50
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 193.12.48.253
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 193.12.48.2 mailserver netmask 255.255.255.255 0 0
static (inside,outside) 193.12.48.9 L2TP server netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 193.12.48.254 1
route inside 10.121.28.0 255.255.255.0 10.121.77.1 1
route inside 10.121.77.0 255.255.255.0 192.168.12.2 1
route inside 192.168.120.0 255.255.255.0 192.168.12.2 1
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set vpnaes esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set vpnaes
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
crypto map mymap1 client configuration address initiate
crypto map mymap1 client configuration address respond
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpv address-pool ippool
vpngroup vpv dns-server 192.168.12.10
vpngroup vpv wins-server 192.168.12.10
vpngroup vpv split-tunnel nonat
vpngroup vpv idle-time 1800
vpngroup vpv password ********
telnet 192.168.12.200 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group clients accept dialin pptp
vpdn group clients ppp authentication pap
vpdn group clients ppp authentication chap
vpdn group clients ppp authentication mschap
vpdn group clients ppp encryption mppe auto
vpdn group clients client configuration address local ippool
vpdn group clients pptp echo 60
vpdn group clients client authentication local
vpdn username dagobah password Lhjrt54
vpdn enable outside
username pixadmin password Hh7WJT0CJV/NaMg9 encrypted privilege 2
terminal width 80
banner exec You have entered secure zone. Authorized personal only!!
banner login You have entered secure zone. Authorized personal only!!
banner motd You have entered secure zone. Authorized personal only!!
Cryptochecksum:afa90dcff2b658974ce362c812928071
0
 
lrmooreCommented:
Does Apple server require AH? AH does not work over NATed address
Have you enabled logging? Perhaps we could get some clues from the denied packets.
Have you tried enabling ISAKMP? UDP 500?
0
 
martyboyAuthor Commented:
lrmoore, ISAKMP is open, that line didnt copy/paste.

Im gonna remove AH and setup a syslog server to see what informtion i get. Get back to you.
0
 
martyboyAuthor Commented:
Well it was the X server fault. Crappy macintosh...After that the technician found the misconfiguration everything went up and running.

Thx moore for assisting!
0
 
lrmooreCommented:
Glad you're working! Can you elaborate any on the misconfiguration of the Apple?
0
 
martyboyAuthor Commented:
The apple guy had activated the second nic on the server wich made thing screw things up.
He did something and rebooted the server a couple of times and then it worked :)
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

  • 6
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now