Solved

cisco pix 501 firewall configuration allow services

Posted on 2012-04-03
5
521 Views
Last Modified: 2012-04-08
The question is, how do I allow pptp service and gre protocol on a Cisco Pix 501 Firewall?  The pix is Version 6.3 (5) and I have access to it via the Pix Device Manager Version 3.0(4).  The scenario is a TWC modem/router with a static IP with the Pix connected to it.  A switch connects to the PIX and all devices are connected to the switch.  Everything is running fine.  What needs to be done and what I need help with, is that the client wants to put an ordinary Netgear wireless router connected to the switch.  The reason for this is so they can have an isolated LAN to hook up one computer that will run a software VPN that will be used for a single purpose - to receive reports from an outside source.

Everything appears to be working, the Netgear router is on the Internet and the computer attached to it has Internet access.  The Netgear and it's attached computer are using a separate IP range from the rest of the office computers.  The problem is that the software VPN running on this one computer as the client side, can't connect to the outside source.

The other vendor that's setting this up is asking for PPTP and GRE to be enabled on the PIX, and that's what I need help with.

I see in the PIX setup where to add Rules, but I'm confused about how to setup Source, Destination, inside and outside.   The isolated computer connected to the Netgear is IP 10.3.10.3.

Thanks for any help.
0
Comment
Question by:riebese
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
Red_Tech earned 500 total points
ID: 37803863
0
 

Author Comment

by:riebese
ID: 37804123
Red_Tech: I think your link gives me a lot of the information that I need, but my configuration is a little different.  In the graphic on your link, I have another router, a Netgear router attached to the Pix, with one computer attached to the Netgear.  The Netgear is getting it's IP assigned by the TWC router, and has DHCP setup to hand out IPs in the range of 10.3.10.2-24.  The computer attached to the Netgear is IP 10.3.10.3.  The other office computers are on IP range 192.168.50.2-200.

So what would the commands be (or the settings in the PIX Device Manager GUI) for this configuration?  Or is there a better way to do it?  Thanks.
0
 

Author Comment

by:riebese
ID: 37804132
The error given in the link that Red_Tech provided is the error that we're getting:

Description:
A connection between the VPN server and the VPN client 87.0.0.1 has been established,
but the VPN connection cannot be completed. The most common cause for this is that a
firewall or router between the VPN server and the VPN client is not configured to allow
Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls
and routers between your VPN server and the Internet allow GRE packets. Make sure the
firewalls and routers on the user's network are also configured to allow GRE packets.
If the problem persists, have the user contact the Internet service provider (ISP) to
determine whether the ISP might be blocking GRE packets.
0
 
LVL 4

Expert Comment

by:Red_Tech
ID: 37814465
What kind of Netgear is it? Does the Netgear have an ACL of some kind? if so can you allow all traffic through the Netgear to the 10.3.10.3? Also, does your TWC router or the ISP block any of this type of traffice?
0
 

Author Closing Comment

by:riebese
ID: 37822219
I followed the commands as outlined in the link that Red-Tech provided, changing the IP address to the IP address at my client's site.  I think the command that did the trick was this one:
fixup protocol pptp 1723
The other commands gave errors, I probably had some syntax wrong.  Anyway, surprisiingly it's working now.
Thank you Red_Tech!
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question