Solved

Cisco PIX506e...connecting to outside VPN...

Posted on 2006-06-29
7
257 Views
Last Modified: 2012-05-05
I have little working knowledge on Cisco firewalls, so answer accordingly please.  In order for a user to access a VPN on an external network from ours, what needs to be opened up on our PIX firewall?  Somone told me to make sure PPTP and SIP were enabled.  I see some settings related to PPTP, but I thought any modifications to those were related to incoming traffic.  Thank you!
0
Comment
Question by:AConover
  • 3
  • 3
7 Comments
 
LVL 11

Assisted Solution

by:prueconsulting
prueconsulting earned 70 total points
Comment Utility
it depends on the type of VPN

but typically adding the following will allow most VPN connections to work

# to Allow PPTP
fixup protocol pptp 1723
sysopt connection permit-pptp  

# to allow NAT traversal for IPSec

isakmp nat-traversal 20
0
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
Re pptp it depends on your OS version.  The fixup above fixes the issue of pptp outbound when using PAT.  This fixup is only in 6.3(3) or later but the 6.3(3) version has a bug in it and it is recommended to go to 6.3(5)

If you have an earlier software release and do not have the CCO to download new images you need to create a static nat and allow gre traffic back to the translated host from the pptp public ip.  See here for details of how to configure this:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#ver62

hth
0
 
LVL 1

Author Comment

by:AConover
Comment Utility
The Version is 6.3(3)
Pardon my ignorance on the subject, but I only know how to make some modifications via the GUI.  I need more guidance on making command line changes (not even sure how to log into it through command line).  PPTP and SIP need to be enabled.  Thanks for your help so far!
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 19

Accepted Solution

by:
nodisco earned 80 total points
Comment Utility
First of all--------------------------
To use the CLI:
The first step is to connect the firewall to a PC so that you can begin the configuration. This is done via the blue console cable that comes with the firewall. Plug one end into the console port on the back of the firewall and the other end to a serial port on a PC. You can use hyperterminal or another terminal emulator program to connect to the firewall.
The terminal settings are:

9600 bps

8 data bits

No parity

1 stop bit
No flow control

Once the firewall is connected to the PC and the emulation software is running press enter several times to bring up the login prompt which will look like this:
pixfirewall>
At the prompt type enable and press enter. You will be prompted for a password. The initial password for all PIX firewalls is blank so just press enter and you will get the enable prompt:
pixfirewall#
Type configure term and hit enter

If you have Cisco CCO you can upgrade your PIX to 6.3(5) and use the fixup for pptp protocol support - this is definetly the preferred option.
fixup protocol pptp 1723


Although this is included in 6.3(3) there is a bug in it and it does not always work correctly.  If you cannot upgrade - do the following:

pixfirewall(config)#static (inside,outside) [spare public ip] [inside ip]  netmask 255.255.255.255
pixfirewall(config)#access-list acl-out permit gre host [public ip of pptp server]  host [spare public ip]
pixfirewall(config)#access-group acl-out in interface outside

In this example you are translating your pc inside [inside ip] that you want to use pptp client  - to a spare public ip on the PIX.  You are then allowing pptp traffic come in from the pptp server to this host.

Note - this example is using an access-list called acl-out.  If you have a different access-list currently applied to your outside interface, do not use the one above.  Replace "acl-out" with the name of your current access-list.  that way you will be adding these lines to the access-list rather than disabling what is currently in use.  

I understand there is a lot in this - feel free to ask if this is not clear

hth

0
 
LVL 1

Author Comment

by:AConover
Comment Utility
I was able to establish a telnet session with the PIX.  I completed the first command "fixup protocol pptp 1723" and did not receive any errors.  I'm waiting for the user to arrive for testing.

I don't have a CCO, I think we did at one point but it has since expired.  The second (alternative step) seems a bit confusing.  I don't have an extra spare Pubic IP.  Hopefully the first option works.  No other steps are required with that command?
0
 
LVL 1

Author Comment

by:AConover
Comment Utility
Addendum to my last post:

According to the link you sent me before:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#ver62

For version 6.3(3) I need to enter do this as well??:

     Commands to Add for Version 6.3
     Complete these steps to add commands for version 6.3:

     Enable the fixup protocol pptp 1723 using this command.

     pixfirewall(config)#fixup protocol pptp 1723
     You do not need to define a static mapping because the PPTP fixup protocol is enabled. You can use PAT.

     pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0

     pixfirewall(config)#global (outside) 1 interface

0
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
the nat and global commands are not necessary per the example - they just show how the pptp works in this situation.  You will already have nat and global commands of some description configured.  

the fixup for pptp was introduced in 6.3(3).  There are bugs in it that were fixed in 6.3(4).  Just an FYI that you may experience trouble with it.

hth
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now