krais99
asked on
Windows 2003 PPTP VPN through PIX 506e
I have a PIX 506e firewall that appears to be blocking our VPN connections despite having the appropriate ports opened.
I'm able to connect to the VPN through the LAN, but am unable to connect from the outside. When I attempt to connect, I get an error 678. Here is the running-config lines for the VPN pass-through:
fixup protocol pptp 1723
no names
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq pptp
access-list 101 permit gre any host xxx.xxx.xxx.xxx
static (inside,outside) tcp xxx.xxx.xxx.xxx pptp yyy.yyy.yyy.yyy pptp netmask 255.255.255.255 0 0
access-group 101 in interface outside
Am I missing something? Is the PIX 506e capable of handling this? Also, I have previously used the Cisco 506e built-in VPN client but have since added 30 additional VPN users through various sales sites. Do I need to remove the Cisco VPN config first? Is that in any way hindering the PPTP traffic to the Windows 2003 server?
Thanks in advance,
Todd
I'm able to connect to the VPN through the LAN, but am unable to connect from the outside. When I attempt to connect, I get an error 678. Here is the running-config lines for the VPN pass-through:
fixup protocol pptp 1723
no names
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq pptp
access-list 101 permit gre any host xxx.xxx.xxx.xxx
static (inside,outside) tcp xxx.xxx.xxx.xxx pptp yyy.yyy.yyy.yyy pptp netmask 255.255.255.255 0 0
access-group 101 in interface outside
Am I missing something? Is the PIX 506e capable of handling this? Also, I have previously used the Cisco 506e built-in VPN client but have since added 30 additional VPN users through various sales sites. Do I need to remove the Cisco VPN config first? Is that in any way hindering the PPTP traffic to the Windows 2003 server?
Thanks in advance,
Todd
ASKER
Sorry, I forgot to mention that.. my IP's are setup:
xxx.xxx.xxx.xx1 = external IP of the firewall
xxx.xxx.xxx.xx2 = mail
xxx.xxx.xxx.xx3 = citrix
xxx.xxx.xxx.xx4 = vpn
xxx.xxx.xxx.xx1 = external IP of the firewall
xxx.xxx.xxx.xx2 = mail
xxx.xxx.xxx.xx3 = citrix
xxx.xxx.xxx.xx4 = vpn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Perfect. Tested and works fine.
On a side note to this, is it better to just do a 1-1 static IP map and open ports as needed, or do a 1-1 static IP with ports? ie:
static (inside,outside) tcp xxx.xxx.xxx.xx2 smtp yyy.yyy.yyy.yy1 smtp netmask 255.255.255.255
On a side note to this, is it better to just do a 1-1 static IP map and open ports as needed, or do a 1-1 static IP with ports? ie:
static (inside,outside) tcp xxx.xxx.xxx.xx2 smtp yyy.yyy.yyy.yy1 smtp netmask 255.255.255.255
You can't do a port static because GRE does not have ports and the only way to handle it is with a 1-1 IP map.
Almost everything else you can do with simple port statics.
My personal preference would be to use port statics where I can and 1-1 when I have to.
Combine the port static with the acl and you're about as good as it gets.
Almost everything else you can do with simple port statics.
My personal preference would be to use port statics where I can and 1-1 when I have to.
Combine the port static with the acl and you're about as good as it gets.
The only way you can have a PPTP server inside your PIX is to have a static 1-1 nat address.
You need another public IP address other than the one assigned to your outside interface. Then create a static nat
static (inside,outside) xxx.xxx.xx.xx2 yy.yy.yy.yy netmask 255.255.255.255
Change your access-list host xxx.xxx.xxx.xxx to xxx.xxx.xx.xx2
There is nothing else in the PIX config that you have to change. The Fixup is for internal clients going out to an external VPN server to guide the GRE back in. It does not work the other way with the server inside and clients outside.