Solved

PIX-501 PPPoe/VPN configuration?

Posted on 2006-11-25
7
1,187 Views
Last Modified: 2008-02-01
Hi, I would like to reuse a PIX-501 in a small office with a static IP PPPoE DSL connection. (my config below)...

I can connect to the ISP via PPPoE and function normally however cannot allow incoming VPN for road warriors.

Am I incorrect in assuming this device will not work for both a PPPoe connection and VPN, and would a PIX-506 or Sonicwall be a functional alternative?

TIA

vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname username@bslv1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username username@bslv1.nts.com password williethejackass


see I am unable to configure a PIX-501 to allow VPN connection
0
Comment
Question by:Openallnight
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 18012039
The 501 should be able to handle both a dialout vpdn group and a dial-in vpdn group.
Have you tried this config and it does not work?
If yes, then perhaps you can post your complete config? Maybe there is something else preventing connection.
Does the ISP allow inbound GRE/VPN ? Many do not on residential service.
0
 

Author Comment

by:Openallnight
ID: 18012137
I am unable to test my config presently and my experience with this device was some time ago at another site.
I am not sure is GRE/VPN is allowed it is a business connection so I will check.
I have found other posts and will try your older dial-in group examples.
0
 

Author Comment

by:Openallnight
ID: 18012175
I have attempted to enter a vpn_in group and whan enabling on the outside I get this feedback

(config)# vpdn enable outside
Can not enable vpdn on the same interface as PPPoE.




sysopt connection permit-pptp

vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname user@res1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn group vpn_in accept dialin pptp
vpdn group vpn_in ppp authentication chap
vpdn group vpn_in ppp authentication mschap
vpdn group vpn_in ppp encryption mppe 40
vpdn group vpn_in client configuration address local vpdn-pool
vpdn group vpn_in client configuration dns 192.168.1.3
vpdn group vpn_in pptp echo 60
vpdn group vpn_in client authentication local
vpdn username user@res1.nts.com password *********
vpdn username test password *********

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 79

Expert Comment

by:lrmoore
ID: 18012607
OK... well that sucks..
I'm 100% positive that you can support pppoe vpdn and IPSEC client at the same time..

I cut/pasted your config into my PIX, and it did not complain when I entered "vpdn enable outside"
PIX 6.3(5)
What version PIX OS are you using?

0
 

Author Comment

by:Openallnight
ID: 18012944
Thanks for yor interest, I have pasted the sh ver and sh ru

casa(config)# sh ver

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

jackfish up 5 hours 10 mins

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000a.b7bc.4b94, irq 9
1: ethernet1: address is 000a.b7bc.4b95, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                50
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license

: Saved
: Written by enable_15 at 12:25:11.574 CST Sat Nov 25 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Nae57tgnghHUuaGNNFrtW1aM encrypted
passwd VUu7dfh7fgh60UvPYLh6sh3 encrypted
hostname jackfish
domain-name somename.net
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq smtp
access-list inbound permit tcp any any eq ftp
access-list inbound permit tcp any any eq pop3
access-list inbound permit tcp any any eq www
access-list inbound deny ip any any
access-list no_nat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 40
logging on
logging timestamp
logging buffered critical
logging trap warnings
logging history warnings
logging queue 0
logging host inside 192.168.1.11
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action drop
ip local pool pptp-pool 192.168.100.240-192.168.100.245
no pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 55555 192.168.1.8 22 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.7 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.1.1 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.7 pop3 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route inside 192.168.88.0 255.255.255.0 192.168.88.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt noproxyarp inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 60
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname <somename>@res1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username sdfgsg@res1.nts.com password ****************
terminal with 80
banner deleted
banner motd Attention:
Cryptochecksum:ba879743fabf90ff1b68344148c28351
: end
0
 

Author Comment

by:Openallnight
ID: 18024354
Thanks Larry, I wimped out and installed an old netscape and went the PDM route and was able to configure the VPN.
Cheers,
MM
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18027072
>Cisco PIX Firewall Version 6.3(3)
This is a very buggy version.. suggest update to 6.3(5)

LOL! The the VPN wizard does a nice job.
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Let’s list some of the technologies that enable smooth teleworking. 
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now