Cisco PIX506e...connecting to outside VPN...

I have little working knowledge on Cisco firewalls, so answer accordingly please.  In order for a user to access a VPN on an external network from ours, what needs to be opened up on our PIX firewall?  Somone told me to make sure PPTP and SIP were enabled.  I see some settings related to PPTP, but I thought any modifications to those were related to incoming traffic.  Thank you!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

it depends on the type of VPN

but typically adding the following will allow most VPN connections to work

# to Allow PPTP
fixup protocol pptp 1723
sysopt connection permit-pptp  

# to allow NAT traversal for IPSec

isakmp nat-traversal 20
Re pptp it depends on your OS version.  The fixup above fixes the issue of pptp outbound when using PAT.  This fixup is only in 6.3(3) or later but the 6.3(3) version has a bug in it and it is recommended to go to 6.3(5)

If you have an earlier software release and do not have the CCO to download new images you need to create a static nat and allow gre traffic back to the translated host from the pptp public ip.  See here for details of how to configure this:

AConoverAuthor Commented:
The Version is 6.3(3)
Pardon my ignorance on the subject, but I only know how to make some modifications via the GUI.  I need more guidance on making command line changes (not even sure how to log into it through command line).  PPTP and SIP need to be enabled.  Thanks for your help so far!
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

First of all--------------------------
To use the CLI:
The first step is to connect the firewall to a PC so that you can begin the configuration. This is done via the blue console cable that comes with the firewall. Plug one end into the console port on the back of the firewall and the other end to a serial port on a PC. You can use hyperterminal or another terminal emulator program to connect to the firewall.
The terminal settings are:

9600 bps

8 data bits

No parity

1 stop bit
No flow control

Once the firewall is connected to the PC and the emulation software is running press enter several times to bring up the login prompt which will look like this:
At the prompt type enable and press enter. You will be prompted for a password. The initial password for all PIX firewalls is blank so just press enter and you will get the enable prompt:
Type configure term and hit enter

If you have Cisco CCO you can upgrade your PIX to 6.3(5) and use the fixup for pptp protocol support - this is definetly the preferred option.
fixup protocol pptp 1723

Although this is included in 6.3(3) there is a bug in it and it does not always work correctly.  If you cannot upgrade - do the following:

pixfirewall(config)#static (inside,outside) [spare public ip] [inside ip]  netmask
pixfirewall(config)#access-list acl-out permit gre host [public ip of pptp server]  host [spare public ip]
pixfirewall(config)#access-group acl-out in interface outside

In this example you are translating your pc inside [inside ip] that you want to use pptp client  - to a spare public ip on the PIX.  You are then allowing pptp traffic come in from the pptp server to this host.

Note - this example is using an access-list called acl-out.  If you have a different access-list currently applied to your outside interface, do not use the one above.  Replace "acl-out" with the name of your current access-list.  that way you will be adding these lines to the access-list rather than disabling what is currently in use.  

I understand there is a lot in this - feel free to ask if this is not clear



Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AConoverAuthor Commented:
I was able to establish a telnet session with the PIX.  I completed the first command "fixup protocol pptp 1723" and did not receive any errors.  I'm waiting for the user to arrive for testing.

I don't have a CCO, I think we did at one point but it has since expired.  The second (alternative step) seems a bit confusing.  I don't have an extra spare Pubic IP.  Hopefully the first option works.  No other steps are required with that command?
AConoverAuthor Commented:
Addendum to my last post:

According to the link you sent me before:

For version 6.3(3) I need to enter do this as well??:

     Commands to Add for Version 6.3
     Complete these steps to add commands for version 6.3:

     Enable the fixup protocol pptp 1723 using this command.

     pixfirewall(config)#fixup protocol pptp 1723
     You do not need to define a static mapping because the PPTP fixup protocol is enabled. You can use PAT.

     pixfirewall(config)#nat (inside) 1 0 0

     pixfirewall(config)#global (outside) 1 interface

the nat and global commands are not necessary per the example - they just show how the pptp works in this situation.  You will already have nat and global commands of some description configured.  

the fixup for pptp was introduced in 6.3(3).  There are bugs in it that were fixed in 6.3(4).  Just an FYI that you may experience trouble with it.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.