Eric,
To get PPTP to work with PAT, you need to play with it like you do with
IPSec. Check out:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_examp
le09186a00800949c0.shtml
You need to statically map TCP 1723 on the outside to your inside PC, same
port. At one time I thought it needed GRE, but I don't see it listed on
that doc. HTH.
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: "Neil Moore"
To: "eric nguyen" ; ;
Sent: Friday, December 20, 2002 5:58 PM
Subject: Re: problem with initiating PPTP connection behind a Pix Firewall
via PAT
> Its all broken... I will give you 500 bux for that pix ..no problem!
> ----------------------------------------
> Neil Moore CCIE#10044
> ----- Original Message -----
> From: "eric nguyen"
> To: ;
> Sent: Friday, December 20, 2002 4:47 PM
> Subject: problem with initiating PPTP connection behind a Pix Firewall via
> PAT
>
>
> > I just replace my home linux "iptables" firewall fwith a "franken" pix
> firewall
> >
> > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM
2.1(1).
> >
> > My internal network is 172.16.1.0/24 with the "inside" interface of the
> firewall is
> >
> > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. I
> also have
> >
> > a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254.
> Machines
> >
> > on both the "inside" and "dmz" access the Internet via Port Address
> Translation
> >
> > (PAT) to the "outside" interface and it seems to work OK. On the
"inside"
> network,
> >
> > I have a Websense filter server (IP 172.16.1.2) to do url filtering for
> both the "inside"
> >
> > and "outside" interface. I use Websense server to filter out traffics
> that I don't want
> >
> > my children to see. Everything is working great with a minor
exception:
> >
> > I need to make a PPTP connection from a laptop on the "inside" network
(IP
> >
> > 172.16.1.100) to a PPTP server at my work place. The problem is that
the
> >
> > connection keeps timing out. The connection time out at the "verify
> username and
> >
> > password". To make sure that this is not a problem with my laptop, I
hook
> my
> >
> > laptop directly to the cable modem (I have roadrunner). Since my laptop
> has a valid
> >
> > external IP address, PPTP works. If I place the laptop on the "inside"
> network
> >
> > behind the "franken" pix, PPTP doesn't work. I even make the firewall
> "wide-open" for
> >
> > both inbound and outbound and it still doesn't work. Now if I replace
the
> "franken"
> >
> > pix firewall with a linux firewall, PPTP works just fine through IP
> masquerading which
> >
> > is equivalent to PAT.
> >
> > My question is this: has anyone been able to successfully initiate a
PPTP
> >
> > from behind a Pix firewall via Port Address Translation (PAT)? Does it
> even work
> >
> > at all with PAT? I am starting to have serious doubt with Cisco Pix
> firewall. It costs
> >
> > me $500 to build this "franken" pix firewall. With the CPU, memory and
> flash, this
> >
> > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit
> Interface) and it can
> >
> > not even do a simple thing like allowing PPTP through PAT. My linux
> firewall is
> >
> > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine,
and
> it
> >
> > costs me $20 for that old system.
> >
> > I think PPTP will work with static NAT but I don't have an extra public
IP
> to spare.
> >
> > If anyone has PPTP works through PAT, please reply. Thanks.
> >
> > Eric.
> >
> > Here is my Pix configuration
> >
> > HERNDON-PIX# wr t
> >
> > Building configuration...
> >
> > : Saved
> >
> > :
> >
> > PIX Version 6.2(2)
> >
> > nameif ethernet0 outside security0
> >
> > nameif ethernet1 inside security100
> >
> > nameif ethernet2 dmz security99
> >
> > nameif ethernet3 dmz2 security98
> >
> > enable password ***************** encrypted
> >
> > passwd ********************* encrypted
> >
> > hostname HOME-PIX
> >
> > domain-name home.com
> >
> > clock timezone est -5
> >
> > clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00
> >
> > fixup protocol ftp 21
> >
> > fixup protocol http 80
> >
> > fixup protocol h323 h225 1720
> >
> > fixup protocol h323 ras 1718-1719
> >
> > fixup protocol ils 389
> >
> > fixup protocol rsh 514
> >
> > fixup protocol rtsp 554
> >
> > fixup protocol smtp 25
> >
> > fixup protocol sqlnet 1521
> >
> > fixup protocol sip 5060
> >
> > fixup protocol skinny 2000
> >
> > names
> >
> > access-list compiled
> >
> > access-list 100 permit icmp any any
> >
> > access-list 100 permit ip any any
> >
> > access-list 100 permit gre any any
> >
> > access-list 101 permit ip any any
> >
> > access-list 101 permit icmp any any
> >
> > access-list 101 permit gre any any
> >
> > access-list 200 permit ip any any
> >
> > access-list 200 permit icmp any any
> >
> > access-list 200 permit gre any any
> >
> > pager lines 24
> >
> > logging on
> >
> > logging timestamp
> >
> > logging monitor debugging
> >
> > logging trap notifications
> >
> > logging facility 23
> >
> > logging queue 1024
> >
> > logging host inside 172.16.1.2
> >
> > interface ethernet0 auto
> >
> > interface ethernet1 100full
> >
> > interface ethernet2 100full
> >
> > interface ethernet3 100full shutdown
> >
> > mtu outside 1500
> >
> > mtu inside 1500
> >
> > mtu dmz 1500
> >
> > mtu dmz2 1500
> >
> > ip address outside 4.64.1.100 255.255.252.0
> >
> > ip address inside 172.16.1.254 255.255.255.0
> >
> > ip address dmz 172.17.1.254 255.255.255.0
> >
> > ip address dmz2 127.0.0.1 255.255.255.255
> >
> > ip verify reverse-path interface outside
> >
> > ip verify reverse-path interface inside
> >
> > ip audit name inside-attack attack action alarm
> >
> > ip audit name inside-info info action alarm
> >
> > ip audit interface outside inside-info
> >
> > ip audit interface outside inside-attack
> >
> > ip audit interface inside inside-info
> >
> > ip audit interface inside inside-attack
> >
> > ip audit info action alarm
> >
> > ip audit attack action alarm
> >
> > no failover
> >
> > failover timeout 0:00:00
> >
> > failover poll 15
> >
> > failover ip address outside 0.0.0.0
> >
> > failover ip address inside 0.0.0.0
> >
> > failover ip address dmz 0.0.0.0
> >
> > failover ip address dmz2 0.0.0.0
> >
> > pdm history enable
> >
> > arp timeout 14400
> >
> > global (outside) 1 interface
> >
> > nat (inside) 1 172.16.1.0 255.255.255.0 0 0
> >
> > nat (dmz) 1 172.17.1.0 255.255.255.0 0 0
> >
> > static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0
> >
> > access-group 100 in interface outside
> >
> > access-group 101 in interface inside
> >
> > access-group 200 in interface dmz
> >
> > route outside 0.0.0.0 0.0.0.0 4.64.1.1 1
> >
> > timeout xlate 3:00:00
> >
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> >
> > timeout uauth 0:05:00 absolute
> >
> > aaa-server TACACS+ protocol tacacs+
> >
> > aaa-server RADIUS protocol radius
> >
> > aaa-server LOCAL protocol local
> >
> > url-server (inside) vendor websense host 172.16.1.2 timeout 5 protocol
TCP
> version 1
> >
> > filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> >
> > ntp server 4.2.2.2 source outside
> >
> > ntp server 172.16.1.2 source inside
> >
> > http server enable
> >
> > http 0.0.0.0 0.0.0.0 outside
> >
> > http 0.0.0.0 0.0.0.0 inside
> >
> > snmp-server host inside 172.16.1.2
> >
> > snmp-server location Home
> >
> > snmp-server contact Eric Nguyen
> >
> > snmp-server community home
> >
> > snmp-server enable traps
> >
> > tftp-server inside 172.16.1.2 /
> >
> > floodguard enable
> >
> > no sysopt route dnat
> >
> > telnet 0.0.0.0 0.0.0.0 inside
> >
> > telnet timeout 60
> >
> > ssh 0.0.0.0 0.0.0.0 outside
> >
> > ssh 0.0.0.0 0.0.0.0 inside
> >
> > ssh timeout 60
> >
> > terminal width 80
> >
> > Cryptochecksum:9ccb719c169af814515292a4bf0a9023
> >
> > : end
> >
> > [OK]
> >
> > HERNDON-PIX#
> >
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59663&t=59663
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
