patrickmulcahy
asked on
PPTP VPN Problem when using port forwarding
We recently had someone come in to help setup our Exchange server. He made some modifications to our PIX firewall and now our VPN doesn't work. We used to have the following for this:
access-list inbound permit tcp any host xxx.xxx.xxx.150 eq pptp
access-list inbound permit tcp any host xxx.xxx.xxx.150 eq 1701
access-list inbound permit gre any host xxx.xxx.xxx.150
static(inside, outside) xxx.xxx.xxx.150 xxx.xxx.xxx.4 netmask 255.255.255.255 0 0
which translated all traffic coming to .150 to the internal server. He changed it to do port forwarding on specific ports to the server. The new configuration is
static (inside,outside) tcp interface smtp xxx.xxx.xxx.4 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https xxx.xxx.xxx.4 https netmask 255.255.255.255 0 0
After he did this, the pptp VPN no longer worked. I added
static (inside,outside) tcp interface pptp xxx.xxx.xxx.4 pptp netmask 255.255.255.255 0 0
and was able to get further, but it still won't complete authentication without the gre being forwarded. Am I going to have to remove port forwarding and just forward all traffic to the server to get this to work. I noticed that you can only do port forwarding on tpc and upd, gre isn't allowed. Is there another way around this?
access-list inbound permit tcp any host xxx.xxx.xxx.150 eq pptp
access-list inbound permit tcp any host xxx.xxx.xxx.150 eq 1701
access-list inbound permit gre any host xxx.xxx.xxx.150
static(inside, outside) xxx.xxx.xxx.150 xxx.xxx.xxx.4 netmask 255.255.255.255 0 0
which translated all traffic coming to .150 to the internal server. He changed it to do port forwarding on specific ports to the server. The new configuration is
static (inside,outside) tcp interface smtp xxx.xxx.xxx.4 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https xxx.xxx.xxx.4 https netmask 255.255.255.255 0 0
After he did this, the pptp VPN no longer worked. I added
static (inside,outside) tcp interface pptp xxx.xxx.xxx.4 pptp netmask 255.255.255.255 0 0
and was able to get further, but it still won't complete authentication without the gre being forwarded. Am I going to have to remove port forwarding and just forward all traffic to the server to get this to work. I noticed that you can only do port forwarding on tpc and upd, gre isn't allowed. Is there another way around this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
fixup protocol pptp 1723