AConover
asked on
Cisco PIX506e...connecting to outside VPN...
I have little working knowledge on Cisco firewalls, so answer accordingly please. In order for a user to access a VPN on an external network from ours, what needs to be opened up on our PIX firewall? Somone told me to make sure PPTP and SIP were enabled. I see some settings related to PPTP, but I thought any modifications to those were related to incoming traffic. Thank you!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The Version is 6.3(3)
Pardon my ignorance on the subject, but I only know how to make some modifications via the GUI. I need more guidance on making command line changes (not even sure how to log into it through command line). PPTP and SIP need to be enabled. Thanks for your help so far!
Pardon my ignorance on the subject, but I only know how to make some modifications via the GUI. I need more guidance on making command line changes (not even sure how to log into it through command line). PPTP and SIP need to be enabled. Thanks for your help so far!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was able to establish a telnet session with the PIX. I completed the first command "fixup protocol pptp 1723" and did not receive any errors. I'm waiting for the user to arrive for testing.
I don't have a CCO, I think we did at one point but it has since expired. The second (alternative step) seems a bit confusing. I don't have an extra spare Pubic IP. Hopefully the first option works. No other steps are required with that command?
I don't have a CCO, I think we did at one point but it has since expired. The second (alternative step) seems a bit confusing. I don't have an extra spare Pubic IP. Hopefully the first option works. No other steps are required with that command?
ASKER
Addendum to my last post:
According to the link you sent me before:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#ver62
For version 6.3(3) I need to enter do this as well??:
Commands to Add for Version 6.3
Complete these steps to add commands for version 6.3:
Enable the fixup protocol pptp 1723 using this command.
pixfirewall(config)#fixup protocol pptp 1723
You do not need to define a static mapping because the PPTP fixup protocol is enabled. You can use PAT.
pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#global
According to the link you sent me before:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#ver62
For version 6.3(3) I need to enter do this as well??:
Commands to Add for Version 6.3
Complete these steps to add commands for version 6.3:
Enable the fixup protocol pptp 1723 using this command.
pixfirewall(config)#fixup protocol pptp 1723
You do not need to define a static mapping because the PPTP fixup protocol is enabled. You can use PAT.
pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#global
the nat and global commands are not necessary per the example - they just show how the pptp works in this situation. You will already have nat and global commands of some description configured.
the fixup for pptp was introduced in 6.3(3). There are bugs in it that were fixed in 6.3(4). Just an FYI that you may experience trouble with it.
hth
the fixup for pptp was introduced in 6.3(3). There are bugs in it that were fixed in 6.3(4). Just an FYI that you may experience trouble with it.
hth
If you have an earlier software release and do not have the CCO to download new images you need to create a static nat and allow gre traffic back to the translated host from the pptp public ip. See here for details of how to configure this:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#ver62
hth