• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 926
  • Last Modified:

VPN setup question: I will probably lose my job if I don't figure this out soon.

thanks in advance to anyone who can help in anyway.  Thank you! Thank you!
If I don't figure this out I will probably lose my job.

My network has a cisco 831 router that is connected to a modem in bridge mode.

Behind the router is my Cisco Pix 501 firewall which has one  16 port switch conncted to that.

So on the firewall I have enable PPTP and put one VPN user account into the firewall settings.

I should be able to setup a  VPN connection with WinXP using my firewall IP address, right.  I have been unsuccesful.

Outside traffic has to first go through the router to get to the firewall.  So I thought the router might be the problem.
I tried to configure the router to allow the traffic.  

This is what I have got so far for the router configuration....

vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
no ftp-server write-enable
!
interface Ethernet0
 description CRWS Generated text. Please do not delete this:72.223.195.49-255.25
5.255.0
 ip address 72.223.195.49 255.255.255.0 secondary
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 no ip address
 duplex auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Virtual-Template1
 ip unnumbered Ethernet0
 peer default ip address pool test
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication pap chap ms-chap

interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname paulie@bellsouth.net
 ppp chap password 7 115F4A5D46145535F
 ppp pap sent-username paulie@bellsouth.net password 7 055D5557452165A
!
ip local pool test 10.168.1.75 10.168.1.100
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.128.1.3 21 interface Dialer1 21
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 102 permit ip 72.223.195.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 120 0
 login local
 length 0
!
scheduler max-task-time 5000
!
end


<b>And hopefully traffic makes it through the router to the Cisco Pix firewall.  Where I have this configuration....<b>

Result of firewall command: "show config"
 
: Saved
: Written by enable_15 at 11:38:07.811 UTC Sun Apr 2 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6.zG4UTOgxjrZ6Lj encrypted
passwd 9.3cC3Lq/yHiv1EY encrypted
hostname GSu
domain-name GSu
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 47
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip any any
access-list 100 permit tcp any host 72.223.195.53 eq smtp
access-list 100 permit tcp any host 72.223.195.53 eq ftp
access-list 100 permit tcp any host 72.223.195.53 eq pop3
access-list 100 permit tcp any host 72.223.195.53 eq https
access-list 100 permit tcp any host 72.223.195.53 eq domain
access-list 100 permit tcp any host 72.223.195.53 eq 3389
access-list 100 permit tcp any host 72.223.195.53 eq www
access-list 100 permit tcp any any eq www
access-list inside_outbound_nat0_acl permit ip any 10.128.1.64 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.223.195.50 255.255.255.240
ip address inside 10.128.1.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnusers 10.128.1.75-10.128.1.100
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 10.128.1.3 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 10.128.1.64 255.255.255.192 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 72.223.195.51
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 72.223.195.50 10.128.1.3 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 72.223.195.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local vpnusers
vpdn group PPTP-VPDN-GROUP client configuration dns 10.128.1.3 4.2.2.2
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username pauh123 password ********
vpdn enable outside
terminal width 80
Cryptochecksum:d735591dcf627d1433d040fe532def72


I should be able to use a basic Windows XP network connection wizard enabling security to connect to my firewall where my user the local PIX user name will be validated.  Then I would be on the network, right.

Anyone please help.  I have very new to VPN, but I am learning fast.
If I don't figure this out soon I will probably lose my job.
Thanks for any help.
Paul
0
paulmmalone
Asked:
paulmmalone
  • 23
  • 21
  • 2
  • +1
1 Solution
 
computertsuCommented:
I think you need to enable a protocol called GRE. It is also called protocol 47.
There is a Cisco article on how to do so for the PIX. You might also need to tell the router to allow this protocol to go through.
http://www.cisco.com/warp/public/110/pix_pptp.html
0
 
paulmmaloneAuthor Commented:
The doc says I need a working PPTP server and client.

PPTP server?
I put a local user name and password into my PIX firewall.  Is that good enough.
I don't have a pptp server behind the firewall.


0
 
plemieux72Commented:
There are many errors.  Here we go:

- Your e0 interface on the router is not on the same network as the outside interface on the PIX:

Current address on PIX outside
ip address outside 72.223.195.50 255.255.255.240
Current address on 831 e0
ip address 72.223.195.49 255.255.255.0 secondary

Assuming the .240 mask is the correct subnet, here is what you need on the router
int e0
 no ip address 72.223.195.49 255.255.255.0 secondary
 no ip address 10.10.10.1 255.255.255.0
 ip address 72.223.195.49 255.255.255.240

- On the 831, you are missing the route to reach your internal network so add this:

route 10.128.1.1 255.0.0.0 72.223.195.50

- The NAT config on the router is wrong:

Unless you say otherwise, you don't need NAT on the router because your PIX is doing NAT.  Both interfaces on the router are public IPs.  You will need to remove it:

int e0
 no ip nat inside
int d1
 no ip nat outside
no ip nat inside source list 102 interface Dialer1 overload
no ip nat inside source static tcp 10.128.1.3 21 interface Dialer1 21  <--- not sure what you wanted to accomplish with this but 10.128.1.3 is a RFC 1918 address and is not routable on the internet so you can do this.

- On the PIX, your VPN pool is on the same subnet as the internal users.  That will not work.  You need to choose another pool and update your access lists accordingly

ip local pool vpnusers 172.16.1.1-172.16.1.30
no access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.224

Unless I missed something, that should get you going.  Let us know if you need anything else.


0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
plemieux72Commented:
<<The doc says I need a working PPTP server and client.

PPTP server?
I put a local user name and password into my PIX firewall.  Is that good enough.
I don't have a pptp server behind the firewall.>>

The PIX can act as a PPTP server.  You've got that configured I think.  I have done it a long time ago and I know it works.  I just kind of forgot all the commands for it and would have to review the PIX docs as a refresher.  However, you can't do that until your foundation is working correctly.  So, yes, local username is ok.
0
 
computertsuCommented:
I can't say with certainty if the PIX will act as a PPTP server. It is a pretty smart box and I think it is likely that it could do so. I've done VPN setups using Microsoft servers mostly, configuring routers to pass the traffic.
PPTP is Point to Point Tunneling Protocol, one of the protocols that can be used for VPN. VPN is pretty much always a client connecting to a server. There is a PPTP test utility, kind of like ping, that came from either Microsoft or Cisco.
Rereading your PIX config file, the lines 'fixup protocol pptp 47' & 'fixup protocol pptp 1723' and 'vpdn' lines (both router and PIX) are helping. Sorry this isn't much help right now. I'll dig deeper and see what I can find out.
Do you have a Windows 2000 or 2003 server if the PIX won't act as a PPTP server?
0
 
plemieux72Commented:
I was reviewing what I wrote above...

- On the 831, you are missing the route to reach your internal network so add this:

route 10.128.1.1 255.0.0.0 72.223.195.50

I meant :

route 10.0.0.0 255.0.0.0 72.223.195.50

Also, here is the PIX VPN config guide for 6.3:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/index.htm

Refer to this for configuring the PIX as a PPTP server:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/basclnt.htm#wp1019576
0
 
paulmmaloneAuthor Commented:
Thank you for all the ideas.  I am going to try them out.  One other question.
Right now my Cisco pix is hooked up to the Router with is connected to the modem.
Inmost of the diagrams I have seen.  It goes router - Pix - modem.
Is this a problem?

And if not with my configuration does it mean my router is doing the NAT because it is the closest to the Internet?
Don't know if that make sense.
Thanks again.
- VPN newbie with growing pains.
0
 
plemieux72Commented:
<<Inmost of the diagrams I have seen.  It goes router - Pix - modem.
Is this a problem?>>

No it's not a problem, either way.  However, I must ask, why both PIX + 831 in your situation?  I mean, most of the time, a router is used when the connection is other than Ethernet.  In your case, you have an Ethernet WAN connection via your DSL modem.  The PIX is perfectly able to accomodate that.  Plus, it does VPN and I think all the functionality you want.  So, there should be no need for a more complicated setup with the 831.  So, unless you can provide a reason to use the router, I would advise of deploying it somewhere else where actually needed.

NAT is among other things, used to translate between RFC 1918 addresses and public addresses.  In your case, the PIX is doing this.  The inside subnet is a 10.0.0.0/8 which is a private (RFC 1918) network and the 72.223.195.48/28 is the public subnet.  The PIX translates between the two.

Here is the NAT page on Cisco.com which explains all this:
http://www.cisco.com/en/US/tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html
0
 
paulmmaloneAuthor Commented:
That is a very good question why I have both the 831 and the pix.  
I am brand new to the position and have inherited a network where the old system admin it looks like they where very confused.

I am now have to sort out there mess.
I tried to take the router out of the equation on Friday by just plugging the Pix straight into the modem.  But when I did that I lost my connection to the internet.  I would love to take the 831 out of the equation.  Just don't know how yet.

My Ethernet 0 now looks like

interface Ethernet0
 ip address 72.223.195.49 255.255.255.240
 ip nat inside
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 32 in

I am a little nevous about messing with these NAT on E0 and the Dialer1.  Not sure what all this PPP authentication stuff is.  Possibly because my modem is in bridge mode.  Could this be the info for my bellsouth dsl connection?

Thanks again for the help!!!!
This is going to save me... hopefully.
0
 
scrathcyboyCommented:
Why dont you buy a simple router that you can handle.  The PIX config is beyond many peoples ability to sort out the details.  Now if you were using a Linksys, for example, which is made by Cisco too, you would never have had this problem.  Cheaper to buy a simple router/switch than lose your job.
0
 
plemieux72Commented:
Scrathcyboy, the PIX doesn't have as steep a learning curve as a Cisco router.  By simply reading the config guide, I was able to get mine up and running when I was a newbie myself in less than a day.  The reason is a PIX doens't have as much functionality as a router because it is designed for security.  I agree that a Cisco router with IOS is a different story and requires a more learning.  That being said, even though Linksys HAS started releasing products for small businesses, Cisco is most of the time a better choice for many businesses.  I think we should help him get up and running on the PIX alone which should not be hard.

Paul, PPPoE is required by your BellSouth DSL connection to access their network.  If the DSL modem was in router mode (you wouldn't want this by the way), the PPPoE would be established on it.  However, because it is in bridge mode, your PIX will use PPPoE to dial in the connection to BellSouth's network.  Check the config guide for 6.3 I posted above and read the section on PPPoE and let us know if you have any further questions.

0
 
plemieux72Commented:
One more thing, I would use a smaller subnet on your internal LAN instead of a /10.  How many users do you have at this site?  How many more IP address do you need for the future?  Based on this, we can suggest a smaller subnet.  Let us know.
0
 
plemieux72Commented:
Paul, here is the main PIX Software Config Guides page:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.htm

Also, remember this:  Cisco routers, Linksys routers and most other vendor's routers for that matter are not secure by default.  You have to harden them before putting them into production.  On the other hand, the Cisco PIX has a secure default config and OS.  This makes it quicker to deploy.
0
 
paulmmaloneAuthor Commented:
plemieux72
Thank you for all the help!

I will read the software config guides.
0
 
paulmmaloneAuthor Commented:
hopefully this is the correct doc for configuring the pix for pppoe

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801055dd.shtml

Note the first paragraph says this.....

The default authentication mechanism for PPPoE is Password Authentication Protocol (PAP). The user has the option to configure Challenge Handshake Authentication Protocol (CHAP) or MS-CHAP manually. PIX OS versions 6.2 and 6.3 do not support Layer 2 Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP) with PPPoE.


Does this mean that I couldn't do both pppoe to bellsouth for my DSL and have PPTP vpn tunnel open?

0
 
scrathcyboyCommented:
plemieux -- spoken like true cisco proselyte.  WE all know cisco is good, but I couldnt disagree more with you about easy to figure out.  I find 99% of non programmers struggle endlessly with cisco pix, and you might find same problem here.  With easier router setup, he probably not have any problem.  Also, in theme of expert exchange, you should allow the question asker *other options* than your own, should you not?  So another option is to get a simpler setup he can handle and save his job.  Good luck training him with Cisco.  Bye.
0
 
paulmmaloneAuthor Commented:
I think I am learning quickly.
And I am a programmer. Just not a Cisco Pix Firewall programmer...  But I will be soon.

Just so y'all don't think I am some idiot.
I am A+, Network+, I-net+, and C.I.W. certified with 8 years of experience.  Just walked into a bad situation here.

Thanks again for all the help.  If I can't get this working I probably won't lose my job, but it will just look pretty bad.



0
 
plemieux72Commented:
<<The default authentication mechanism for PPPoE is Password Authentication Protocol (PAP). The user has the option to configure Challenge Handshake Authentication Protocol (CHAP) or MS-CHAP manually. PIX OS versions 6.2 and 6.3 do not support Layer 2 Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP) with PPPoE.


Does this mean that I couldn't do both pppoe to bellsouth for my DSL and have PPTP vpn tunnel open?>>

I forgot about that.  Yes, you are refering to article ID 22855.  I will take their word for it as I've never tried it.  So, there, you now have a reason for the 831.

Or, what about doing IPSec instead of PPTP?  Did the previous person buy SmartNet contracts with your Cisco devices?  If so, you can download the Cisco VPN Client and use that to connect and won't need the 831.  Otherwise, you'll need to get the 831 to do the PPPoE (without NAT).  Then, the PIX can do NAT and PPTP VPN.
0
 
paulmmaloneAuthor Commented:
plemieux72 thanks again for all the help
So I do need the 831.  Darn...

So this is what I have for the 831 router...

Current configuration : 2511 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname GSU
!
no logging buffered
enable secret 5 $1$EoKt$KxVz9w0Pcky0fmySFLen9.
!
no aaa new-model
ip subnet-zero
ip name-server 205.152.37.23
ip name-server 205.152.144.23
ip dhcp excluded-address 10.128.1.3
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
no ftp-server write-enable
!
interface Ethernet0
 ip address 72.234.195.49 255.255.255.240
 ip nat inside
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 no ip address
 duplex auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Virtual-Template1
 ip unnumbered Ethernet0
 peer default ip address pool test
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication pap chap ms-chap
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname gsu@bellsouth.net
 ppp chap password 7 115F4A5D464A535F
 ppp pap sent-username gsu@bellsouth.net password 7 055D55577014165A
!
ip local pool test 10.168.1.75 10.168.1.100
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.128.1.3 21 interface Dialer1 21
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 102 permit ip 72.234.195.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 120 0
 login local
 length 0
!
scheduler max-task-time 5000
!
end


Do you see anything that would stop the PPTP traffic from going from the bridged modem through to the Pix at 72.234.195.50 and back.

Ethernet0 is where the internet is coming in and Ethernet 1 is the port that is connected to Pix.
0
 
plemieux72Commented:
<<Ethernet0 is where the internet is coming in and Ethernet 1 is the port that is connected to Pix.>>

Well, not really, or this may be the problem... dialer1 (d1), a virtual interface is the interface where the Internet is coming in.  And, in the current config, that's associated with ethernet1 (e1), the physical interface.

So, I have a feeling your inside interface is ethernet0 (e0).  You can verify this by doing a show int e1 or show int e0 command and seeing if the interface is up/up and then unplugging the cable which will make it go down/down.

Once you've figured this out, let me know for sure and we'll get the addressing fixed.  By the way, do you have connectivity from the inside to the Internet right now?
0
 
plemieux72Commented:
Also, when posting configs online, remove the passwords (even if encrypted) as it's easy to decrypt them.  In fact, now that they are posted (it's too late), you should change them to prevent getting hacked.
0
 
paulmmaloneAuthor Commented:
Thanks again.

You are right ethernet1 shows....

Ehternet1 is up, line protocol is down when I unplug it.

Opps... about the passwords...
In the example I did change all the ip address and the user names.

I do have internet connectivitity from the inside out.

Thanks again.  
0
 
paulmmaloneAuthor Commented:
So this is what I have now for the 831 router, I changed the Virtual-Template1 to point to Ethernet1 but that didn't make it work....  

version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname GSU
!
no logging buffered
!
username GSUrouter password
no aaa new-model
ip subnet-zero
ip name-server 72.234.37.23
ip name-server 72.234.144.23
ip dhcp excluded-address 10.128.1.3
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
no ftp-server write-enable
!
interface Ethernet0
 ip address 72.234.195.49 255.255.255.240
 ip nat inside
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 no ip address
 duplex auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Virtual-Template1
 ip unnumbered Ethernet1
 peer default ip address pool test
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication pap chap ms-chap
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname paulie@bellsouth.net
 ppp chap password 7 115F4A5Dsd464A5as35F
 ppp pap sent-username paulie@bellsouth.net password 7 055fD55599f770ss14165A
!
ip local pool test 10.168.1.75 10.168.1.100
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.128.1.3 21 interface Dialer1 21
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 102 permit ip 72.234.195.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 120 0
 login local
 length 0
0
 
plemieux72Commented:
Ok, so if I understand correctly:

d1 = e1 = outside Internet
e0 = inside

Next, you need to figure out what the ISP gave you for IP addresses.  You could call them to confirm it.  Because above, it lists two different ranges based on your interface ip address statements:

72.223.195.49 255.255.255.240 = 72.223.195.48/28 = 72.223.195.49 to 72.223.195.62
and
72.223.195.49 255.255.255.0 = 72.223.195.48/24 = 723.223.195.1 to 72.223.195.254

I am also curious, as to what IP address and mask your d1 interface is obtaining... do a show int d1.  Does it have an IP in the same range as one of those?  
Since your d1 interface obtains an IP automatically via IPCP (similar to DHCP), we have to make sure the router will route between that ISP subnet and the 72.223.x.x one.  So, post the result of the first few lines of the sho int d1...

Sorry if I am not asking all the questions up front... I am kind of going with the flow.  But we almost have it figured out.  Once the IP addressing is understood, we can get on with the config which should be simple.
0
 
paulmmaloneAuthor Commented:
Interesting....
Here is the show config.   Dialer1
The IP address is not in the range that my isp gave me.  The range from the isp is
72.223.195.49 - 72.223.195.49  with a subnet of 255.255.255.240

Dialer1 is up, line protocol is up (spoofing)
  Hardware is Unknown
  Internet address is 50.147.657.231/32
  MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set
  DTR is pulsed for 1 seconds on reset
  Interface is bound to Vi1
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 4w2d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/16 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 42 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     30459186 packets input, 3238768244 bytes
     20235579 packets output, 3557963238 bytes
Bound to:
Virtual-Access1 is up, line protocol is up
  Hardware is Virtual Access interface




0
 
paulmmaloneAuthor Commented:
opps I meant
72.223.195.49 - 72.223.195.55  with a subnet of 255.255.255.240
for my range from my isp
0
 
paulmmaloneAuthor Commented:
Thanks again for all the help!!
0
 
plemieux72Commented:
<<Dialer1  The IP address is not in the range that my isp gave me. >>
PERFECT!  that makes sense because the router will route between the two networks (that's what a router is for).

For clarity sake, here is your IP addressing summary:

831 addressing:
d1 = e1 = outside Internet --> IPCP (obtain IP automatically)
e0 = inside = 72.223.195.49 255.255.255.240

PIX addressing:
outside = 72.223.195.50 255.255.255.240
inside = 10.x.x.x

That leaves you with 72.223.195.51 to 55 for other uses.

Now, remove the unused commands from the router.  Test connectivity after each step.

no ip dhcp excluded-address 10.128.1.3
int e0
 no ip nat inside
int d1
 no ip nat outside
no ip nat inside source list 102 interface Dialer1 overload
no access-list 102
no ip local pool test 10.168.1.75 10.168.1.100

If connectivity still ok, save the config (copy run start).

At this point, the router is setup for routing all traffic to/from the Internet without using NAT.  So you should be able to connect to the PIX PPTP server as long as you've changed the PIX VPN pool and associated access lists to a different subnet as your internal one as I mentioned before.



0
 
paulmmaloneAuthor Commented:
Could not do one of the commands... when I ran this command
 "no ip nat inside source list 102 interface Dialer1 overload"  
it said "Dynamic mapping in use, cannot remve"

So this is what I have now.
Think it is getting close!


no aaa new-model
ip subnet-zero
ip name-server 125.152.37.23
ip name-server 125.152.144.23
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
no ftp-server write-enable
!
interface Ethernet0
 ip address 73.223.195.49 255.255.255.240
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 no ip address
 duplex auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Virtual-Template1
 ip unnumbered Ethernet1
 peer default ip address pool test
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication pap chap ms-chap
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname paulie@bellsouth.net
 ppp chap password 7
 ppp chap password 7
!
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 120 0
 login local
 length 0
!
scheduler max-task-time 5000

Thanks for all the help.  I am getting excited.  I think it is getting close!
0
 
plemieux72Commented:
That error means there are some NAT translations in use:

Do a "show ip nat trans" and check what the deal is...
Then, to clear them, do a "clear ip nat trans *" and immediately remove the command with its "no" form.  Or, you could unplug the e0 cable to ensure no additional connections get establish while you remove NAT.

Anyway, I am kind of curious as to why there are some translations because it's not supposed to be NATing.  So, be prepared to re-enter the command as it was should you loose connectivity.  However, I really don't think this will be the case.

0
 
paulmmaloneAuthor Commented:
GSPRouter#show ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 50.147.234.107:4646 72.245.195.50:4646 12.43.202.118:80  91.51.201.118:80
tcp 50.147.234.107:4000 72.245.195.50:4000 12.43.133.152:80  91.51.201.152:80
tcp 50.147.234.107:4066 72.245.195.50:4066 12.43.133.151:80  91.51.201.151:80
tcp 50.147.234.107:4069 72.245.195.50:4069 12.43.133.152:80  91.51.201.152:80
tcp 50.147.234.107:4073 72.245.195.50:4073 12.43.133.152:80  91.51.201.152:80
tcp 50.147.234.107:4074 72.245.195.50:4074 12.43.133.153:80  91.51.201.153:80
tcp 50.147.234.107:3993 72.245.195.50:3993 923.172.158.187:80 208.172.158.187:80

tcp 50.147.234.107:3574 72.245.195.50:3574 907.204.187.58:80 602.25.187.58:80
tcp 50.147.234.107:3588 72.245.195.50:3588 907.204.187.58:80 602.25.187.58:80
tcp 50.147.234.1074655 72.245.195.50:4655 65.154.109.223:80 68.198.109.223:80
tcp 50.147.234.107:4055 72.245.195.50:4055 907.46.4.51:1863  602.25.4.51:1863
tcp 50.147.234.107:3931 72.245.195.50:3931 66.123.36.94:80   61.128.36.94:80

tcp 70.157.172.107:3932 68.222.195.50:3932 63.123.36.94:80   63.123.36.94:80
tcp 70.157.172.107:4012 68.222.195.50:4012 81.52.202.113:80  81.52.202.113:80
tcp 70.157.172.107:4010 68.222.195.50:4010 81.52.202.118:80  81.52.202.118:80
tcp 70.157.172.107:4005 68.222.195.50:4005 69.108.159.61:80  69.108.159.61:80
0
 
paulmmaloneAuthor Commented:
the "clear ip nat trans *"  doesn't seem to be working

I am at the GSURouter (config)#clear ip nat trans

% Invalid input detected at '^' marder  

with the ^ under the "e" in clear

0
 
paulmmaloneAuthor Commented:
Think I got it.  Hold on...
0
 
paulmmaloneAuthor Commented:
Ok, I have disabled the NAT traslations.
0
 
plemieux72Commented:
...and you were able to take the ip nat inside source command out?
0
 
paulmmaloneAuthor Commented:
Yes Ip Nat inside source is gone and I am still connected.
0
 
plemieux72Commented:
Good.  So, if you now try the PPTP connection from outside, you should get in.
0
 
paulmmaloneAuthor Commented:

I will go and try it out.  Be back in 15 minutes.
Do you think I have everything setup on the firewall right?
I am not sure if I have GRE enabled.
And possible this line.. nat (inside) 1 10.128.1.0 255.255.255.0 0 0
It should probably be 255.0.0.0 for the sub net right?  Or does that matter?
You have no idea how happy I am going to be if this works....
I really appreciate all the help.

Here is what I have for the current config on the pix....

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ******* encrypted
hostname GSU
domain-name GSU
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 47
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip any any
access-list 100 permit tcp any host 72.223.195.53 eq smtp
access-list 100 permit tcp any host 72.223.195.53 eq ftp
access-list 100 permit tcp any host 72.223.195.53 eq pop3
access-list 100 permit tcp any host 72.223.195.53 eq https
access-list 100 permit tcp any host 72.223.195.53 eq domain
access-list 100 permit tcp any host 72.223.195.53 eq 3389
access-list 100 permit tcp any host 72.223.195.53 eq www
access-list 100 permit tcp any any eq www
access-list inside_outbound_nat0_acl permit ip any 10.150.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no ip address outside
ip address inside 10.128.1.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnusers 10.128.1.75-10.128.1.100
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 72.223.195.50
nat (inside) 1 10.128.1.0 255.255.255.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 72.223.195.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group vpnaccess accept dialin pptp
vpdn group vpnaccess ppp authentication mschap
vpdn group vpnaccess ppp encryption mppe auto required
vpdn group vpnaccess client configuration address local vpnusers
vpdn group vpnaccess client configuration dns 10.128.1.3 4.2.2.2
vpdn group vpnaccess pptp echo 60
vpdn group vpnaccess client authentication local
vpdn username adffdfs password *********
vpdn enable outside
vpdn enable inside
terminal width 80
0
 
plemieux72Commented:
That latest config definitely won't work.  Here are the changes you need to make:

no vpdn group vpnaccess client configuration address local vpnusers  <---- pool is in the wrong subnet
no access-list inside_outbound_nat0_acl permit ip any 10.150.1.0 255.255.255.0 <--- ACL is in the wrong subnet
access-list ACL_NAT permit ip 10.128.1.0 255.0.0.0 172.16.1.0 255.255.255.224
access-list ACL_SPLIT_TUNNEL permit ip 10.128.1.0 255.0.0.0 172.16.1.0 255.255.255.224  <--- split-tunneling not being used but you have it in case needed in the future
ip address outside 72.223.195.50 255.255.255.240  <--- not sure what happened here but there should be an IP address for the outside interface
ip local pool VPN_POOL 172.16.1.1-172.16.1.30 <--- your new VPN pool in a different subnet
no ip local pool vpnusers 10.128.1.75-10.128.1.100
nat (inside) 1 10.128.1.0 255.0.0.0  <--- fixed the netmask
nat (inside) 0 access-list ACL_NAT  <--- mandatory because you need to exclude VPN traffic from NAT
vpdn group vpnaccess client configuration address local VPN_POOL
no vpdn group vpnaccess client configuration dns 10.128.1.3 4.2.2.2
vpdn group vpnaccess client configuration dns 10.128.1.3  <---- you should only use the internal DNS server OR the external, not both.

Ok, give that a shot...
0
 
plemieux72Commented:
Note- to make the NAT changes, again you may need to clear the translations...

On the PIX, the equivalent command is clear xlate
0
 
paulmmaloneAuthor Commented:
when I change the

"no ip address outside"

to say "ip address outside 1 72.223.195.50 255.255.255.240"

I loose connectivity to the internet from inside.
72.223.195.50 is the same ip address that I have in the line  "global (outside) 1 72.223.195.50"


0
 
plemieux72Commented:
But you had ip address outside 72.223.195.50 255.255.255.240 on the initial posting above... what happened to it?  Do you know when it got taken out?

Anyway, yes, the outside IP address is what your are using for NAT (PAT actually)... so it goes in the global (outside) 1 command.

Can you post a "show int" when you have connectivity and when you don't?
0
 
paulmmaloneAuthor Commented:
I guess the

ip address outside  and the global (outside) were conflicting.

I now have

ip address outside 72.223.195.51 255.255.255.240    and
global (outside) 1 72.223.195.50

getting an error when entering in the "access-list ACL_NAT permit ip 10.128.1.0 255.0.0.0 172.16.1.0 255.255.255.224"
I will try the clear xlate command.
0
 
plemieux72Commented:
Oh, sorry, I hadn't noticed the .51 vs .50.  You should really put it back the way it was:

ip address outside 72.223.195.50 255.255.255.240    and
global (outside) 1 72.223.195.51

This means, the outside IP is .50 but when the PIX NATs (PAT) outbound traffic it assigns a source address of .51 to all the packets which is fine.

Then, I also noticed vpdn is enabled on the inside, that's not needed in your case so do:

no vpdn enable inside
0
 
paulmmaloneAuthor Commented:
I have made the changes.
The pix forced me to put in
access-list ACL_NAT permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.224
instead of 10.128.1.0


Here is my current config...

Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********** encrypted
passwd ********encrypted
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 47
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip any any
access-list 100 permit tcp any host 72.223.195.53 eq smtp
access-list 100 permit tcp any host 72.223.195.53 eq ftp
access-list 100 permit tcp any host 72.223.195.53 eq pop3
access-list 100 permit tcp any host 72.223.195.53 eq https
access-list 100 permit tcp any host 72.223.195.53 eq domain
access-list 100 permit tcp any host 72.223.195.53 eq 3389
access-list 100 permit tcp any host 72.223.195.53 eq www
access-list 100 permit tcp any any eq www
access-list ACL_NAT permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.223.195.51 255.255.255.240
ip address inside 10.128.1.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_POOL 172.16.1.1-172.16.1.30
pdm location 10.128.1.3 255.255.255.255 inside
pdm location 10.128.1.0 255.255.255.0 inside
pdm location 172.16.1.0 255.255.255.224 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 72.223.195.50
nat (inside) 0 access-list ACL_NAT
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 72.223.195.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group vpnaccess accept dialin pptp
vpdn group vpnaccess ppp authentication mschap
vpdn group vpnaccess ppp encryption mppe auto required
vpdn group vpnaccess client configuration address local VPN_POOL
vpdn group vpnaccess client configuration dns 4.2.2.2
vpdn group vpnaccess pptp echo 60
vpdn group vpnaccess client authentication local
vpdn username ******* password *********
vpdn enable outside
terminal width 80
Cryptochecksum:d94582938aa8dcae4e23e5223e5cc809
: end
0
 
plemieux72Commented:
<<The pix forced me to put in
access-list ACL_NAT permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.224
instead of 10.128.1.0>>

Yes, that's correct... I wasn't thinking it was a 255.0.0.0 mask instead of a 255.255.255.0.  

Anyway, the rest looks ok.  Although, you should choose your internal DNS server instead of 4.2.2.2 for the "vpdn group vpnaccess client configuration dns" command.  Otherwise, when PPTP clients connect, they won't be able to resolve internal names, just external ones.

Assuming it's now all working, there are two security problems you should finally look at fixing:
1) On the PIX, ssh 0.0.0.0 0.0.0.0 outside  - Do you really need SSH access from anywhere on the Internet?  Password cracking attempts can compromise your PIX so you should remove this if not needed and manage the PIX via VPN instead.  If you decide to do this, add the "management-access inside" command which will allow you to manage the PIX via the inside interface IP address from the VPN tunnel.

2) On the router, there are several things you could do to harden it (lock it down security-wise).  I suggest you get the following handbook which will help you do this and also learn a bit more of IOS:
Hardening Cisco Routers (O'Reilly Networking) (Paperback) by Thomas Akin
http://www.amazon.com/gp/product/0596001665/sr=8-1/qid=1144202097/ref=pd_bbs_1/103-2262386-6738218?%5Fencoding=UTF8

Also, the internal subnet allows for 16777214 hosts on 1 subnet!  You predecessor who designed this IP addressing was clearly not understanding this.  So, although it works now, this is just an FYI that if you ever have to add other 10.x.x.x networks (possibly from a company merger or acquisition), you'd benefit from re-addressing the internal LAN to a subnet containing 254 or 510 hosts for example.  This is why we had to choose a 172.16.x.x subnet for the VPN pool.  There was no 10.x.x.x subnets left!  Anyway, don't bother with that now but I just wanted to bring this to your attention.
0
 
paulmmaloneAuthor Commented:
plemieux72,
I just logged into VPN from the Starbucks down the road!!!!!
It works.
Thank you, so much.  For helping me through this.  It has been an education.

If you have a Paypal account I'll send you a thank you for all the time and effort put in.
If you don't want to post it online my yahoo email address is paulmmalone@yahoo.com

Thank you again.  And I will definetly harden down the both the pix and the router ASAP.

Yes!!!!  It works.   I am pumped!

0
 
plemieux72Commented:
Awesome!  Glad I could help.  No need for paypal... not sure how we'd authenticate each other without me having to post my email address.  Plus, it's probably not allowed by the EE rules anyway.

Just accept one of my answers instead.  

Have a good night!

Cheers
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 23
  • 21
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now