[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 416
  • Last Modified:

PIX 506 will not allow MS PPTP VPN authentication

I am behind a PIX 506, V6.3(4) with PDM 3.0(2).

When I try to establish a Microsoft PPTP VPN connection to any outside server, it makes the intial connection then hangs up at "Verifying Username and Password" (100% confirmed to be a Firewall issue, as it works fine outside of the FW or from my own home connection).

I have set the PIX to "Bypass Access Check" for PPTP, L2TP, and all IPSEC traffic in the PDM under VPN - VPN System Options.  Didn't seem to fix the issue.
0
aconway
Asked:
aconway
  • 4
  • 4
1 Solution
 
billwhartonCommented:
Do you have any access list on the inside interface of the PIX restricting outbound access to the PPTP protocol?
Try removing the access list by doing a 'no access-group <ACL ID> in interface outside
0
 
aconwayAuthor Commented:
I don't think so...but I didn't do the intial set up.  I am looking all through the PDM and I don't see any access rules that mention anything about PPTP.

The PIX is set up for Cisco's own VPN (client) for access into our network, so I am not sure if that somehow screws up outbound PPTP to other servers/firewalls..?
0
 
billwhartonCommented:
It should not.
Make sure this command exists on the PDM. If not, put it in.

fixup protocol pptp 1723
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
aconwayAuthor Commented:
Could you tell me how I add that command within the PDM interface?  (as in, where?)
0
 
billwhartonCommented:
I am not too familiar with the PDM but if you can find any menu task which allows you to copy/paste the entire PIX config in here, that would help
0
 
aconwayAuthor Commented:
I don't see that fixup command you listed.. how do I put it in?  I can access the command line interface, if needed.

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password MvudnAy1k29VtT0Z encrypted
passwd Fe17Rj89Vsp2/vZw encrypted
hostname PIX
domain-name removed
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 Priv-Network
name 192.168.1.1 Priv-mailSrvr
name 192.168.1.13 Priv-webSrvr
name 192.168.1.3 Priv-TSrvr
name 192.168.1.10 COINDev
name 192.168.1.11 COINPro
object-group service Webmin tcp-udp
  port-object range 10000 10000
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xx.30.69.186 eq smtp
access-list acl_out permit tcp any host xx.30.69.186 eq www
access-list acl_out permit tcp any host xx.30.69.186 eq pop3
access-list acl_out remark RPC HTTP TCP
access-list acl_out permit tcp any host xx.30.69.186 range 6001 6004
access-list acl_out remark RPC HTTP UDP
access-list acl_out permit udp any host xx.30.69.186 range 6001 6004
access-list acl_out remark COINDev SSH
access-list acl_out permit tcp any host xx.30.69.187 range 10022 10022
access-list acl_out remark COINDev SSH
access-list acl_out permit tcp any host xx.30.69.187 range 10080 10080
access-list acl_out remark COINPro SSH
access-list acl_out permit tcp any host xx.30.69.187 range ssh ssh
access-list acl_out remark COINPro WWW
access-list acl_out permit tcp any host xx.30.69.187 range www www
access-list acl_out remark COINPro WWW
access-list acl_out permit tcp any host xx.30.69.187 range 10000 10000
access-list acl_out permit tcp any host xx.30.69.185 eq ftp
access-list acl_out permit tcp any host xx.30.69.185 eq smtp
access-list acl_out permit tcp any host xx.30.69.185 eq www
access-list acl_out permit tcp any host xx.30.69.186 eq https
access-list acl_in permit icmp any any
access-list acl_in permit ip any any
access-list 101 permit ip Priv-Network 255.255.255.0 192.168.254.0 255.255.255.0
pager lines 50
logging on
logging timestamp
logging standby
logging trap alerts
logging history debugging
logging host inside Priv-mailSrvr
mtu outside 1500
mtu inside 1500
ip address outside xx.30.69.184 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pixVPNpool 192.168.254.10-192.168.254.25
pdm location xx.100.50.0 255.255.255.128 outside
pdm location Priv-mailSrvr 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.254.0 255.255.255.0 outside
pdm location Priv-webSrvr 255.255.255.255 inside
pdm location Priv-TSrvr 255.255.255.255 inside
pdm location COINDev 255.255.255.255 inside
pdm location COINPro 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xx.30.69.187 10022 COINDev 10022 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.30.69.187 10080 COINDev 10080 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.30.69.187 ssh COINPro ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.30.69.187 www COINPro www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.30.69.187 10000 COINPro 10000 netmask 255.255.255.255 0 0
static (inside,outside) xx.30.69.186 Priv-mailSrvr netmask 255.255.255.255 0 0
static (inside,outside) xx.30.69.185 Priv-webSrvr netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.30.69.1 1
route inside 192.168.0.0 255.255.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Priv-Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup t4c5VPN address-pool pixVPNpool
vpngroup t4c5VPN split-tunnel 101
vpngroup t4c5VPN idle-time 1800
vpngroup t4c5VPN password ********
telnet Priv-Network 255.255.255.0 inside
telnet timeout 5
ssh xx.100.50.0 255.255.255.128 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c42fc91381a7d4e588cb93bec322c2ed
: end
[OK]
0
 
billwhartonCommented:
Once in the CLI, do this:
configure t
fixup protocol pptp 1723

Then do a 'write memory'

Check if that helps
0
 
aconwayAuthor Commented:
YEP!  That fixed it!  Thank you!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now