Powerhousecomputing
asked on
Cisco Pix 501 port opening
Needing instructions: I have a Cisco Pix 501 with latest firmware and PDM 3. I need to open pptp port from any outside connection to an internal ip. I cant seem to do this as the PIX wants to know what ip im connecting from. Im sure if i read documentation long enough i will find the answer but kind of need a fast solution here. Thanks in advance. (I am planning to study Cisco firewalls in depth so hope i dont seem lazy :)
Create an access list allowing any to your host that is your VPN server. Make sure to use the keyword host to define your VPN server. Ports you need to allow for PPTP (1723 and GRE)) sometimes 500, 50 and 51. You'll also need static mappings allowing these ports in as well.
ASKER
This time the settings took and i was able to flash however VPN still not working. I couldnt find GRE anywhere in the list of services. -Also could the cisco have port 1723 reserved for its own use? how do i switch it off if that is the case? many thanks
Unless you have your PIX setup to perform VPN encryption/authentication as well. I don't think you can do both, or at least you'd have tp specify from which hosts to expect what.
GRE is an entire protocol, not just port. So you must specify as such. Do you need the syntax?
GRE is an entire protocol, not just port. So you must specify as such. Do you need the syntax?
ASKER
i have an sbs server behind the firewall. i would like windows to do the authentication and turn off the pix's. is that doable? and yes i am dummy when it comes cisco please give details. thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
1. what do you meen by ACL?
2. if i the name of the internal host is wrong i.e it is set to 'smtp_internal'. should i change this to 'host' as you suggested earlier? -i tried to set a second host, using the same internal ip and wasnt allowed.
2. if i the name of the internal host is wrong i.e it is set to 'smtp_internal'. should i change this to 'host' as you suggested earlier? -i tried to set a second host, using the same internal ip and wasnt allowed.
1. Access Control List - It is how traffic is defined by IP address range, protocol, port and whether you want to allow or deny it.
2. Use the keyword host when defining the host, but use its IP address as this should not change. (i.e. access list 101 permit gre any host 192.168.0.1)
2. Use the keyword host when defining the host, but use its IP address as this should not change. (i.e. access list 101 permit gre any host 192.168.0.1)
In the pop-up to enter the rule through PDM 3 - enter "Any" at the source IP and then for the destination enter the internal IP address with a subnet mask 255.255.255.255
By setting the source to "Any" it allows anyone from the Internet to connect using the defined service - and when that connection hits the 501 it will be redirected to the defined Internal IP address.