• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 448
  • Last Modified:

PIX PPTP and Citrix Pass Through

Hi Guys,

I have this scenario


LAN-----PIX----------1720 Router---------Internet

now LAN Users want to access the PPTP server and Citrix Server on internet.
I am using the PIX with 6.2(1), So i cant use the PPTP Fixup protocol.

What are the necessary access rules and Commands i need to use on PIX???,
I guess there is nothing to do on 1720 Router.

regards
Naren
0
r_naren22atyahoo
Asked:
r_naren22atyahoo
  • 7
  • 4
  • 3
  • +1
3 Solutions
 
nodiscoCommented:
Hi Naren

Are you using PAT on the PIX or do you have a global pool?  PIX will not allow you to connect from inside to outbound pptp servers over PAT - the solution would be to either create a global pool of addresses for your LAN machines to go out through, assign them static outside ip addresses or best of all - upgrade to 6.3(5) and use the fixup for pptp.  This fixup addresses the issue of pptp behind PAT.

hth
0
 
r_naren22atyahooAuthor Commented:
HI nodisco,

I have upgraded the PIX to 6.3.5, and pptp fixup protocol is enabled.

i just use this command
fixup protocol pptp 1723


I still need to pass through the pptp via the router
the router IOS is 12.2. and is not doing the NAT.

Please help on the router

regards
Naren
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
nodiscoCommented:
If the router is not doing nat - it should work fine unless there is something in particular on the router that is blocking it.
Can you post the router config?

Can you advise on the following:
Is the ip range of the pptp servers you are trying to access the same as the LAN subnet you are originating from?
Can you connect at all to pptp - or is it a case of that you can connect but not pass traffic?
If you cannot connect - what error message do you get?
If you can connect but not access certain services - RDP for example - can you ping these services?  If you can, you may have an mtu issue.

cheers
0
 
nodiscoCommented:
Naren

Can you also post the IOS version of your router

thanks
0
 
r_naren22atyahooAuthor Commented:
12.2
0
 
r_naren22atyahooAuthor Commented:
here is the situation

Sorry
the router is doing the NAT
and the PPTP server address is a public IP

PPTP connection is connecting to the public IP
then its waits for a long time for User name and password authentication
then it throws me an error 721
i am using windows PPTP client
0
 
lrmooreCommented:
>the router is doing the NAT
AND the PIX is doing NAT, too? No wonder GRE won't work.
The router does not have the fixup capability of the PIX to allow for the GRE tunnel.
Disable NAT on the router since the PIX is doing it anyway.
0
 
r_naren22atyahooAuthor Commented:
Sorry guys, I was missed up, and gave wrong info.

Irmoore,

The scenario is like this

PPTP Server(Internet)-----PIX(No NAT)-------Router(NAT)(1720,IOS=12.2)--------------LAN(Windows PPTP Client)
                                                                                 |
                                                                                 |
                                                                             Branch

I have enabled the Fixup Protocol on the PIX
I dont know what to do on the Router???

Regards
Naren
0
 
r_naren22atyahooAuthor Commented:
Guys any ideas ???

I guess i have problem at the router,
communications back from router external interface to the LAN Users
0
 
nodiscoCommented:
Naren

Can you post the pix config and router config as the diagram above is a bit odd.

0
 
lrmooreCommented:
Create a 1-1 static nat on the router for the pptp client machine
You don't have much of a choice, and if the PIX isn't doing nat, then the fixup is also irrelevant
Agree with nodisco - your layout is really odd, but I'm sure there is a good explanation for it.
0
 
r_naren22atyahooAuthor Commented:
i have to give access to more than 1 client i mean Whole network behind the router

regards
Naren
0
 
lrmooreCommented:
Router + NAT + GRE = 1-1 NAT (can be done with big enough nat pool)
Disable NAT on router, let PIX do the NAT and let Fixup deal with GRE
0
 
r_naren22atyahooAuthor Commented:
Hi Guys, the setup is Odd i know this is because the Internal Router is also have IP Sec Tunnels,
PIX 6.3 cannot do this routing between the tunnels.

The problem is sloved, I have used the access list to allow the gre protocol from external to internal on router and PIX
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 7
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now