riebese
asked on
cisco pix 501 firewall configuration allow services
The question is, how do I allow pptp service and gre protocol on a Cisco Pix 501 Firewall? The pix is Version 6.3 (5) and I have access to it via the Pix Device Manager Version 3.0(4). The scenario is a TWC modem/router with a static IP with the Pix connected to it. A switch connects to the PIX and all devices are connected to the switch. Everything is running fine. What needs to be done and what I need help with, is that the client wants to put an ordinary Netgear wireless router connected to the switch. The reason for this is so they can have an isolated LAN to hook up one computer that will run a software VPN that will be used for a single purpose - to receive reports from an outside source.
Everything appears to be working, the Netgear router is on the Internet and the computer attached to it has Internet access. The Netgear and it's attached computer are using a separate IP range from the rest of the office computers. The problem is that the software VPN running on this one computer as the client side, can't connect to the outside source.
The other vendor that's setting this up is asking for PPTP and GRE to be enabled on the PIX, and that's what I need help with.
I see in the PIX setup where to add Rules, but I'm confused about how to setup Source, Destination, inside and outside. The isolated computer connected to the Netgear is IP 10.3.10.3.
Thanks for any help.
Everything appears to be working, the Netgear router is on the Internet and the computer attached to it has Internet access. The Netgear and it's attached computer are using a separate IP range from the rest of the office computers. The problem is that the software VPN running on this one computer as the client side, can't connect to the outside source.
The other vendor that's setting this up is asking for PPTP and GRE to be enabled on the PIX, and that's what I need help with.
I see in the PIX setup where to add Rules, but I'm confused about how to setup Source, Destination, inside and outside. The isolated computer connected to the Netgear is IP 10.3.10.3.
Thanks for any help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The error given in the link that Red_Tech provided is the error that we're getting:
Description:
A connection between the VPN server and the VPN client 87.0.0.1 has been established,
but the VPN connection cannot be completed. The most common cause for this is that a
firewall or router between the VPN server and the VPN client is not configured to allow
Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls
and routers between your VPN server and the Internet allow GRE packets. Make sure the
firewalls and routers on the user's network are also configured to allow GRE packets.
If the problem persists, have the user contact the Internet service provider (ISP) to
determine whether the ISP might be blocking GRE packets.
Description:
A connection between the VPN server and the VPN client 87.0.0.1 has been established,
but the VPN connection cannot be completed. The most common cause for this is that a
firewall or router between the VPN server and the VPN client is not configured to allow
Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls
and routers between your VPN server and the Internet allow GRE packets. Make sure the
firewalls and routers on the user's network are also configured to allow GRE packets.
If the problem persists, have the user contact the Internet service provider (ISP) to
determine whether the ISP might be blocking GRE packets.
What kind of Netgear is it? Does the Netgear have an ACL of some kind? if so can you allow all traffic through the Netgear to the 10.3.10.3? Also, does your TWC router or the ISP block any of this type of traffice?
ASKER
I followed the commands as outlined in the link that Red-Tech provided, changing the IP address to the IP address at my client's site. I think the command that did the trick was this one:
fixup protocol pptp 1723
The other commands gave errors, I probably had some syntax wrong. Anyway, surprisiingly it's working now.
Thank you Red_Tech!
fixup protocol pptp 1723
The other commands gave errors, I probably had some syntax wrong. Anyway, surprisiingly it's working now.
Thank you Red_Tech!
ASKER
So what would the commands be (or the settings in the PIX Device Manager GUI) for this configuration? Or is there a better way to do it? Thanks.