Questions

PPTP VPN through a Cisco PIX

Tags:
+
0 Votes
Locked

PPTP VPN through a Cisco PIX

jdaly
Ok, here is my dilemma, I've been trying to setup a simple PPTP VPN at our office so a few employees can VPN to our server once they move. Internally, the connection works perfectly, so I know the issue is with the traffic being routed through our firewall. We have two routers (used for traffic routing between our two sites), 1 managed and 3 unmanaged switches (all 3com) and a Cisco PIX which functions as the gateway device to the internet. We have build 6.3(5) of the software, and according to the Cisco documentation I have configured the firewall to allow pptp traffic to pass through, but still I have had no success in actually getting this to work. I don't want the PIX to perform the authentication or provide VPN services, just to allow the connection through. Below is my configuration, any help would be greatly appreciated.


: Saved
: Written by enable_15 at 13:04:44.070 UTC Mon Sep 17 2007
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password rYvCkrfYmbSSo8g2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname WHSPIX
domain-name wihumane.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol pptp 1723
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list WHS remark pcanywhere connection
access-list WHS permit tcp any host X.X.123.197 eq pcanywhere-data
access-list WHS remark pcanywhere connection
access-list WHS permit udp any host X.X.123.197 eq pcanywhere-status
access-list WHS remark pcanywhere connection
access-list WHS permit tcp any host X.X.123.197 eq 5633
access-list WHS remark pcanywhere connection
access-list WHS permit udp any host X.X.123.197 eq 5634
access-list WHS remark email access to internal mail server
access-list WHS permit tcp any host X.X.123.197 eq smtp
access-list WHS remark access to terminal server
access-list WHS permit tcp any host X.X.123.197 eq 3389
access-list WHS remark email access to internal webmail server
access-list WHS permit tcp any host X.X.123.197 eq www
access-list WHS permit gre any host X.X.123.197
access-list WHS permit tcp any host X.X.123.197 eq pptp
access-list inside_outbound_nat0_acl permit ip any 10.1.1.0 255.255.255.240
access-list acl-nat0 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside X.X.123.197 255.255.255.0
ip address inside 192.168.1.2 255.255.255.0
ip verify reverse-path interface outside
ip audit name WHSProtect attack action alarm drop reset
ip audit interface outside WHSProtect
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.4 255.255.255.255 inside
pdm location 192.168.1.8 255.255.255.255 inside
pdm location 192.168.1.33 255.255.255.255 inside
pdm location 192.168.1.34 255.255.255.255 inside
pdm location 207.67.56.0 255.255.255.255 outside
pdm location 10.1.1.0 255.255.255.240 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp X.X.123.197 pcanywhere-data 192.168.1.33 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp X.X.123.197 pcanywhere-status 192.168.1.33 pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) tcp X.X.123.197 5633 192.168.1.34 5633 netmask 255.255.255.255 0 0
static (inside,outside) udp X.X.123.197 5634 192.168.1.34 5634 netmask 255.255.255.255 0 0
static (inside,outside) tcp X.X.123.197 3389 192.168.1.4 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp X.X.123.197 smtp 192.168.1.8 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp X.X.123.197 www 192.168.1.8 www netmask 255.255.255.255 0 0
access-group WHS in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.123.1 1
route inside 192.168.0.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server vpn-auth protocol radius
aaa-server vpn-auth max-failed-attempts 3
aaa-server vpn-auth deadtime 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 207.67.56.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c9f5705f4063c93072d92050720fd9c6

WHSPIX(config)#
  • +
    0 Votes
    pj_pistola

    http://www.cisco.com/warp/public/110/pix_pptp.html

    Once you have done all the hard work you will note:
    Multiple PPTP Connections Fail when using PAT - You can only have one PPTP connection through the PIX Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the PIX Security Appliance only maps port 0 to one host.

    So it is only useful for out going VPN

    +
    0 Votes
    cgageral

    1) Create an access list

    access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.100.0 255.255.255.0

    - the first IP and mask are your internal one, the second one is your pool for the VPN.
    You shall make the same for any other vpn range that you have, even a site to site ipsec, or you can choose open the mask for a number that include all the VPNs in it (255.0.0.0).


    2)Make a NAT for it.

    nat (inside) 0 access-list 101

    - Can you see the list? That's why you need to put your other VPNs in the access list. Otherwise will not work anymore.


    3) permit a pptp.

    sysopt connection permit-pptp


    4)configure a VPN pool:

    ip local pool pptp-pool 10.0.100.1-10.0.100.50


    5) Create a PPTP VPN:

    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 client authentication local
    vpdn username cisco password cisco
    vpdn enable outside

    That's it... I solved my problem this way.

    Best regards,

    Cristiano Azeredo.

    +
    0 Votes
    jdaly

    I figured this out long ago, but both of you ignored that I said I was only trying to PASS traffic through the PIX and not attempting to have the PIX do the authentication.

  • +
    0 Votes
    pj_pistola

    http://www.cisco.com/warp/public/110/pix_pptp.html

    Once you have done all the hard work you will note:
    Multiple PPTP Connections Fail when using PAT - You can only have one PPTP connection through the PIX Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the PIX Security Appliance only maps port 0 to one host.

    So it is only useful for out going VPN

    +
    0 Votes
    cgageral

    1) Create an access list

    access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.100.0 255.255.255.0

    - the first IP and mask are your internal one, the second one is your pool for the VPN.
    You shall make the same for any other vpn range that you have, even a site to site ipsec, or you can choose open the mask for a number that include all the VPNs in it (255.0.0.0).


    2)Make a NAT for it.

    nat (inside) 0 access-list 101

    - Can you see the list? That's why you need to put your other VPNs in the access list. Otherwise will not work anymore.


    3) permit a pptp.

    sysopt connection permit-pptp


    4)configure a VPN pool:

    ip local pool pptp-pool 10.0.100.1-10.0.100.50


    5) Create a PPTP VPN:

    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 client authentication local
    vpdn username cisco password cisco
    vpdn enable outside

    That's it... I solved my problem this way.

    Best regards,

    Cristiano Azeredo.

    +
    0 Votes
    jdaly

    I figured this out long ago, but both of you ignored that I said I was only trying to PASS traffic through the PIX and not attempting to have the PIX do the authentication.