asked on

cisco pix 501 firewall configuration allow services

The question is, how do I allow pptp service and gre protocol on a Cisco Pix 501 Firewall? The pix is Version 6.3 (5) and I have access to it via the Pix Device Manager Version 3.0(4). The scenario is a TWC modem/router with a static IP with the Pix connected to it. A switch connects to the PIX and all devices are connected to the switch. Everything is running fine. What needs to be done and what I need help with, is that the client wants to put an ordinary Netgear wireless router connected to the switch. The reason for this is so they can have an isolated LAN to hook up one computer that will run a software VPN that will be used for a single purpose - to receive reports from an outside source.

Everything appears to be working, the Netgear router is on the Internet and the computer attached to it has Internet access. The Netgear and it's attached computer are using a separate IP range from the rest of the office computers. The problem is that the software VPN running on this one computer as the client side, can't connect to the outside source.

The other vendor that's setting this up is asking for PPTP and GRE to be enabled on the PIX, and that's what I need help with.

I see in the PIX setup where to add Rules, but I'm confused about how to setup Source, Destination, inside and outside. The isolated computer connected to the Netgear is IP 10.3.10.3.

Thanks for any help.

ASKER CERTIFIED SOLUTION

Red_Tech

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

riebese

ASKER

Red_Tech: I think your link gives me a lot of the information that I need, but my configuration is a little different. In the graphic on your link, I have another router, a Netgear router attached to the Pix, with one computer attached to the Netgear. The Netgear is getting it's IP assigned by the TWC router, and has DHCP setup to hand out IPs in the range of 10.3.10.2-24. The computer attached to the Netgear is IP 10.3.10.3. The other office computers are on IP range 192.168.50.2-200.

So what would the commands be (or the settings in the PIX Device Manager GUI) for this configuration? Or is there a better way to do it? Thanks.

riebese

ASKER

The error given in the link that Red_Tech provided is the error that we're getting:

Description:
A connection between the VPN server and the VPN client 87.0.0.1 has been established,
but the VPN connection cannot be completed. The most common cause for this is that a
firewall or router between the VPN server and the VPN client is not configured to allow
Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls
and routers between your VPN server and the Internet allow GRE packets. Make sure the
firewalls and routers on the user's network are also configured to allow GRE packets.
If the problem persists, have the user contact the Internet service provider (ISP) to
determine whether the ISP might be blocking GRE packets.

Red_Tech

What kind of Netgear is it? Does the Netgear have an ACL of some kind? if so can you allow all traffic through the Netgear to the 10.3.10.3? Also, does your TWC router or the ISP block any of this type of traffice?

riebese

ASKER

I followed the commands as outlined in the link that Red-Tech provided, changing the IP address to the IP address at my client's site. I think the command that did the trick was this one:
fixup protocol pptp 1723
The other commands gave errors, I probably had some syntax wrong. Anyway, surprisiingly it's working now.
Thank you Red_Tech!