You know, IPSec is far more secure than PPTP, especially if you're dealing
with an MS PPTP server. Sound's like you need a PIX at work...
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: eric nguyen
To: [EMAIL PROTECTED] ; 'Chuck Church' ; [EMAIL PROTECTED] ;
[EMAIL PROTECTED]
Sent: Friday, December 20, 2002 10:27 PM
Subject: RE: problem with initiating PPTP connection behind a Pix Firewall
via PAT
Thanks for the info.
This absolutely sucks. I am sure there are many folks out there with
broadband
connection like myself, cable modem or DSL, that has only one external IP
address. Those folks might be using Cisco Pix501, Pix506 or Pix506E for
their
home firewall. I am sure they need to connect to their corporate network
via
PPTP just like myself. Now I have no choice but to switch back to my Linux
firewall. Pix firewall, what a piece of shit. For an expensive product
like
that,
you would think that Cisco makes an effort to make PPTP work via PAT.
Enough of me venting off my frustration. Thanks everyone for your help.
Eric
"Raymond Jett (rajett)" wrote:
Hmmm.... To quote cisco.com...
PPTP through the PIX with Port Address Translation (PAT) does not work
because there is no concept of ports in GRE.
That was from:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a0080094a5a.shtml
This URL shows you how to do it with NAT...
Although, interestingly enough... You can do it with IOS:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e
xample09186a00800949c0.shtml
Watch the word wrap on the URLs!
Raymond
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
eric nguyen
Sent: Friday, December 20, 2002 8:59 PM
To: Chuck Church; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: problem with initiating PPTP connection behind a Pix
Firewall via PAT
Chuck,
I did try the following:
static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask
255.255.255.255 0 0 access-list 100 permit ip any any access-list 100
permit gre any any access-list 100 permit icmp any any access-group 100
in interface outside it still doesn't work. The example you provided
has to do with Cisco IOS. Pix is not the same as Cisco IOS even though
it comes from the same company. This is really frustrating. I feel like
I am being "ripped-off" by Cisco Pix firewall
(even though I am running a clone, there is no way in hell that Cisco
will support it). It is really amazing that an expensive product like
this one doesn't support PPTP with PAT (to my knowlegde). Even Linux
firewall supports PPTP over PAT. I feel like I am hitting a brick wall
here. Please help. Eric Chuck Church
wrote:Eric,
To get PPTP to work with PAT, you need to play with it like you do with
I! PSec. Check out:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e
xamp
le09186a00800949c0.shtml
You need to statically map TCP 1723 on the outside to your inside PC,
same port. At one time I thought it needed GRE, but I don't see it
listed on that doc. HTH.
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: "Neil Moore"
To: "eric nguyen" ; ;
Sent: Friday, December 20, 2002 5:58 PM
Subject: Re: problem with initiating PPTP connection behind a Pix
Firewall via PAT
> Its all broken... I will give you 500 bux for that pix ..no problem!
> ----------------------------------------
> Neil Moore CCIE#10044
> ----- Original Message -----
> From: "eric nguyen"
> To: ;
> Sent: Friday, December 20, 2002 4:47 PM
> Subject: problem with initiating PPTP connection behind a Pix Firewall
via
> PAT
>
>
> > ! I just replace my home linux "iptables" firewall fwith a "franken"
> > pix
> firewall
> >
> > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM
2.1(1).
> >
> > My internal network is 172.16.1.0/24 with the "inside" interface of
> > the
> firewall is
> >
> > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100.
> > I
> also have
> >
> > a "dmz" 172.17.1.0/24 network with the Pix interface IP of
> > 172.17.1.254.
> Machines
> >
> > on both the "inside" and "dmz" access the Internet via Port Address
> Translation
> >
> > (PAT) to the "outside" interface and it seems to work OK. On the
"inside"
> network,
> >
> > I have a Websense filter server (IP 172.16.1.2) to do url filtering
> > for
> both the "inside"
> >
>! ; > and "outside" interface. I use Websense server to filter out
> > traffics
> that I don't want
> >
> > my children to see. Everything is working great with a minor
exception:
> >
> > I need to make a PPTP connection from a laptop on the "inside"
> > network
(IP
> >
> > 172.16.1.100) to a PPTP server at my work place. The problem is that
the
> >
> > connection keeps timing out. The connection time out at the "verify
> username and
> >
> > password". To make sure that this is not a problem with my laptop, I
hook
> my
> >
> > laptop directly to the cable modem (I have roadrunner). Since my
> > laptop
> has a valid
> >
> > external IP address, PPTP works. If I place the laptop on the
> > "inside"
> network
> >
> > behind the "franken" pix, PPTP doesn'! t work. I even make the
> > firewall
> "wide-open" for
> >
> > both inbound and outbound and it still doesn't work. Now if I
> > replace
the
> "franken"
> >
> > pix firewall with a linux firewall, PPTP works just fine through IP
> masquerading which
> >
> > is equivalent to PAT.
> >
> > My question is this: has anyone been able to successfully initiate a
PPTP
> >
> > from behind a Pix firewall via Port Address Translation (PAT)? Does
> > it
> even work
> >
> > at all with PAT? I am starting to have serious doubt with Cisco Pix
> firewall. It costs
> >
> > me $500 to build this "franken" pix firewall. With the CPU, memory
> > and
> flash, this
> >
> > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit
> Interface) and it can
> &! gt;
> > not even do a simple thing like allowing PPTP through PAT. My linux
> firewall is
> >
> > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just
> > fine,
and
> it
> >
> > costs me $20 for that old system.
> >
> > I think PPTP will work with static NAT but I don't have an extra
> > public
IP
> to spare.
> >
> > If anyone has PPTP works through PAT, please reply. Thanks.
> >
> > Eric.
> >
> > Here is my Pix configuration
> >
> > HERNDON-PIX# wr t
> >
> > Building configuration...
> >
> > : Saved
> >
> > :
> >
> > PIX Version 6.2(2)
> >
> > nameif ethernet0 outside security0
> >
> > nameif ethernet1 inside security100
> >
> > nameif ethernet2 dmz security99
! > >
> > nameif ethernet3 dmz2 security98
> >
> > enable password ***************** encrypted
> >
> > passwd ********************* encrypted
> >
> > hostname HOME-PIX
> >
> > domain-name home.com
> >
> > clock timezone est -5
> >
> > clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00
> >
> > fixup protocol ftp 21
> >
> > fixup protocol http 80
> >
> > fixup protocol h323 h225 1720
> >
> > fixup protocol h323 ras 1718-1719
> >
> > fixup protocol ils 389
> >
> > fixup protocol rsh 514
> >
> > fixup protocol rtsp 554
> >
> > fixup protocol smtp 25
> >
> > fixup protocol sqlnet 1521
> >
> > fixup protocol sip 5060
> >
> > fixup protocol skinny 2000
&g! t; >
> > names
> >
> > access-list compiled
> >
> > access-list 100 permit icmp any any
> >
> > access-list 100 permit ip any any
> >
> > access-list 100 permit gre any any
> >
> > access-list 101 permit ip any any
> >
> > access-list 101 permit icmp any any
> >
> > access-list 101 permit gre any any
> >
> > access-list 200 permit ip any any
> >
> > access-list 200 permit icmp any any
> >
> > access-list 200 permit gre any any
> >
> > pager lines 24
> >
> > logging on
> >
> > logging timestamp
> >
> > logging monitor debugging
> >
> > logging trap notifications
> >
> > logging facility 23
> >
> > logging queue 1024
> >
> > logging host inside 17! 2.16.1.2
> >
> > interface ethernet0 auto
> >
> > interface ethernet1 100full
> >
> > interface ethernet2 100full
> >
> > interface ethernet3 100full shutdown
> >
> > mtu outside 1500
> >
> > mtu inside 1500
> >
> > mtu dmz 1500
> >
> > mtu dmz2 1500
> >
> > ip address outside 4.64.1.100 255.255.252.0
> >
> > ip address inside 172.16.1.254 255.255.255.0
> >
> > ip address dmz 172.17.1.254 255.255.255.0
> >
> > ip address dmz2 127.0.0.1 255.255.255.255
> >
> > ip verify reverse-path interface outside
> >
> > ip verify reverse-path interface inside
> >
> > ip audit name inside-attack attack action alarm
> >
> > ip audit name inside-info info action alarm
> >
> > ip audit inter! face outside inside-info
> >
> > ip audit interface outside inside-attack
> >
> > ip audit interface inside inside-info
> >
> > ip audit interface inside inside-attack
> >
> > ip audit info action alarm
> >
> > ip audit attack action alarm
> >
> > no failover
> >
> > failover timeout 0:00:00
> >
> > failover poll 15
> >
> > failover ip address outside 0.0.0.0
> >
> > failover ip address inside 0.0.0.0
> >
> > failover ip address dmz 0.0.0.0
> >
> > failover ip address dmz2 0.0.0.0
> >
> > pdm history enable
> >
> > arp timeout 14400
> >
> > global (outside) 1 interface
> >
> > nat (inside) 1 172.16.1.0 255.255.255.0 0 0
> >
> > nat (dmz) 1 172.17.1.0 255.255.255.0 0 0
>! ; >
> > static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0
> >
> > access-group 100 in interface outside
> >
> > access-group 101 in interface inside
> >
> > access-group 200 in interface dmz
> >
> > route outside 0.0.0.0 0.0.0.0 4.64.1.1 1
> >
> > timeout xlate 3:00:00
> >
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
> > h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> >
> > timeout uauth 0:05:00 absolute
> >
> > aaa-server TACACS+ protocol tacacs+
> >
> > aaa-server RADIUS protocol radius
> >
> > aaa-server LOCAL protocol local
> >
> > url-server (inside) vendor websense host 172.16.1.2 timeout 5
> > protocol
TCP
> version 1
> >
> > filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.! 0.0
> >
> > ntp server 4.2.2.2 source outside
> >
> > ntp server 172.16.1.2 source inside
> >
> > http server enable
> >
> > http 0.0.0.0 0.0.0.0 outside
> >
> > http 0.0.0.0 0.0.0.0 inside
> >
> > snmp-server host inside 172.16.1.2
> >
> > snmp-server location Home
> >
> > snmp-server contact Eric Nguyen
> >
> > snmp-server community home
> >
> > snmp-server enable traps
> >
> > tftp-server inside 172.16.1.2 /
> >
> > floodguard enable
> >
> > no sysopt route dnat
> >
> > telnet 0.0.0.0 0.0.0.0 inside
> >
> > telnet timeout 60
> >
> > ssh 0.0.0.0 0.0.0.0 outside
> >
> > ssh 0.0.0.0 0.0.0.0 inside
> >
> > ssh timeout 60
> >
> > terminal wi! dth 80
> >
> > Cryptochecksum:9ccb719c169af814515292a4bf0a9023
> >
> > : end
> >
> > [OK]
> >
> > HERNDON-PIX#
> >
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now
---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
-----------------------------------------------------------------------------
-
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59673&t=59673
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
