Solved

Cisco PIX506e...connecting to outside VPN...

Posted on 2006-06-29
7
277 Views
Last Modified: 2012-05-05
I have little working knowledge on Cisco firewalls, so answer accordingly please.  In order for a user to access a VPN on an external network from ours, what needs to be opened up on our PIX firewall?  Somone told me to make sure PPTP and SIP were enabled.  I see some settings related to PPTP, but I thought any modifications to those were related to incoming traffic.  Thank you!
0
Comment
Question by:AConover
  • 3
  • 3
7 Comments
 
LVL 11

Assisted Solution

by:prueconsulting
prueconsulting earned 70 total points
ID: 17013071
it depends on the type of VPN

but typically adding the following will allow most VPN connections to work

# to Allow PPTP
fixup protocol pptp 1723
sysopt connection permit-pptp  

# to allow NAT traversal for IPSec

isakmp nat-traversal 20
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17014463
Re pptp it depends on your OS version.  The fixup above fixes the issue of pptp outbound when using PAT.  This fixup is only in 6.3(3) or later but the 6.3(3) version has a bug in it and it is recommended to go to 6.3(5)

If you have an earlier software release and do not have the CCO to download new images you need to create a static nat and allow gre traffic back to the translated host from the pptp public ip.  See here for details of how to configure this:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#ver62

hth
0
 
LVL 1

Author Comment

by:AConover
ID: 17017175
The Version is 6.3(3)
Pardon my ignorance on the subject, but I only know how to make some modifications via the GUI.  I need more guidance on making command line changes (not even sure how to log into it through command line).  PPTP and SIP need to be enabled.  Thanks for your help so far!
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 19

Accepted Solution

by:
nodisco earned 80 total points
ID: 17017347
First of all--------------------------
To use the CLI:
The first step is to connect the firewall to a PC so that you can begin the configuration. This is done via the blue console cable that comes with the firewall. Plug one end into the console port on the back of the firewall and the other end to a serial port on a PC. You can use hyperterminal or another terminal emulator program to connect to the firewall.
The terminal settings are:

9600 bps

8 data bits

No parity

1 stop bit
No flow control

Once the firewall is connected to the PC and the emulation software is running press enter several times to bring up the login prompt which will look like this:
pixfirewall>
At the prompt type enable and press enter. You will be prompted for a password. The initial password for all PIX firewalls is blank so just press enter and you will get the enable prompt:
pixfirewall#
Type configure term and hit enter

If you have Cisco CCO you can upgrade your PIX to 6.3(5) and use the fixup for pptp protocol support - this is definetly the preferred option.
fixup protocol pptp 1723


Although this is included in 6.3(3) there is a bug in it and it does not always work correctly.  If you cannot upgrade - do the following:

pixfirewall(config)#static (inside,outside) [spare public ip] [inside ip]  netmask 255.255.255.255
pixfirewall(config)#access-list acl-out permit gre host [public ip of pptp server]  host [spare public ip]
pixfirewall(config)#access-group acl-out in interface outside

In this example you are translating your pc inside [inside ip] that you want to use pptp client  - to a spare public ip on the PIX.  You are then allowing pptp traffic come in from the pptp server to this host.

Note - this example is using an access-list called acl-out.  If you have a different access-list currently applied to your outside interface, do not use the one above.  Replace "acl-out" with the name of your current access-list.  that way you will be adding these lines to the access-list rather than disabling what is currently in use.  

I understand there is a lot in this - feel free to ask if this is not clear

hth

0
 
LVL 1

Author Comment

by:AConover
ID: 17017514
I was able to establish a telnet session with the PIX.  I completed the first command "fixup protocol pptp 1723" and did not receive any errors.  I'm waiting for the user to arrive for testing.

I don't have a CCO, I think we did at one point but it has since expired.  The second (alternative step) seems a bit confusing.  I don't have an extra spare Pubic IP.  Hopefully the first option works.  No other steps are required with that command?
0
 
LVL 1

Author Comment

by:AConover
ID: 17017550
Addendum to my last post:

According to the link you sent me before:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#ver62

For version 6.3(3) I need to enter do this as well??:

     Commands to Add for Version 6.3
     Complete these steps to add commands for version 6.3:

     Enable the fixup protocol pptp 1723 using this command.

     pixfirewall(config)#fixup protocol pptp 1723
     You do not need to define a static mapping because the PPTP fixup protocol is enabled. You can use PAT.

     pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0

     pixfirewall(config)#global (outside) 1 interface

0
 
LVL 19

Expert Comment

by:nodisco
ID: 17017600
the nat and global commands are not necessary per the example - they just show how the pptp works in this situation.  You will already have nat and global commands of some description configured.  

the fixup for pptp was introduced in 6.3(3).  There are bugs in it that were fixed in 6.3(4).  Just an FYI that you may experience trouble with it.

hth
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question