Solved

PIX-501 PPPoe/VPN configuration?

Posted on 2006-11-25
7
1,185 Views
Last Modified: 2008-02-01
Hi, I would like to reuse a PIX-501 in a small office with a static IP PPPoE DSL connection. (my config below)...

I can connect to the ISP via PPPoE and function normally however cannot allow incoming VPN for road warriors.

Am I incorrect in assuming this device will not work for both a PPPoe connection and VPN, and would a PIX-506 or Sonicwall be a functional alternative?

TIA

vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname username@bslv1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username username@bslv1.nts.com password williethejackass


see I am unable to configure a PIX-501 to allow VPN connection
0
Comment
Question by:Openallnight
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
Comment Utility
The 501 should be able to handle both a dialout vpdn group and a dial-in vpdn group.
Have you tried this config and it does not work?
If yes, then perhaps you can post your complete config? Maybe there is something else preventing connection.
Does the ISP allow inbound GRE/VPN ? Many do not on residential service.
0
 

Author Comment

by:Openallnight
Comment Utility
I am unable to test my config presently and my experience with this device was some time ago at another site.
I am not sure is GRE/VPN is allowed it is a business connection so I will check.
I have found other posts and will try your older dial-in group examples.
0
 

Author Comment

by:Openallnight
Comment Utility
I have attempted to enter a vpn_in group and whan enabling on the outside I get this feedback

(config)# vpdn enable outside
Can not enable vpdn on the same interface as PPPoE.




sysopt connection permit-pptp

vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname user@res1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn group vpn_in accept dialin pptp
vpdn group vpn_in ppp authentication chap
vpdn group vpn_in ppp authentication mschap
vpdn group vpn_in ppp encryption mppe 40
vpdn group vpn_in client configuration address local vpdn-pool
vpdn group vpn_in client configuration dns 192.168.1.3
vpdn group vpn_in pptp echo 60
vpdn group vpn_in client authentication local
vpdn username user@res1.nts.com password *********
vpdn username test password *********

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
OK... well that sucks..
I'm 100% positive that you can support pppoe vpdn and IPSEC client at the same time..

I cut/pasted your config into my PIX, and it did not complain when I entered "vpdn enable outside"
PIX 6.3(5)
What version PIX OS are you using?

0
 

Author Comment

by:Openallnight
Comment Utility
Thanks for yor interest, I have pasted the sh ver and sh ru

casa(config)# sh ver

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

jackfish up 5 hours 10 mins

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000a.b7bc.4b94, irq 9
1: ethernet1: address is 000a.b7bc.4b95, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                50
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license

: Saved
: Written by enable_15 at 12:25:11.574 CST Sat Nov 25 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Nae57tgnghHUuaGNNFrtW1aM encrypted
passwd VUu7dfh7fgh60UvPYLh6sh3 encrypted
hostname jackfish
domain-name somename.net
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq smtp
access-list inbound permit tcp any any eq ftp
access-list inbound permit tcp any any eq pop3
access-list inbound permit tcp any any eq www
access-list inbound deny ip any any
access-list no_nat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 40
logging on
logging timestamp
logging buffered critical
logging trap warnings
logging history warnings
logging queue 0
logging host inside 192.168.1.11
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action drop
ip local pool pptp-pool 192.168.100.240-192.168.100.245
no pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 55555 192.168.1.8 22 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.7 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.1.1 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.7 pop3 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route inside 192.168.88.0 255.255.255.0 192.168.88.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt noproxyarp inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 60
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname <somename>@res1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username sdfgsg@res1.nts.com password ****************
terminal with 80
banner deleted
banner motd Attention:
Cryptochecksum:ba879743fabf90ff1b68344148c28351
: end
0
 

Author Comment

by:Openallnight
Comment Utility
Thanks Larry, I wimped out and installed an old netscape and went the PDM route and was able to configure the VPN.
Cheers,
MM
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>Cisco PIX Firewall Version 6.3(3)
This is a very buggy version.. suggest update to 6.3(5)

LOL! The the VPN wizard does a nice job.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now