Hmmm.... To quote cisco.com... PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.
That was from: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura tion_example09186a0080094a5a.shtml This URL shows you how to do it with NAT... Although, interestingly enough... You can do it with IOS: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e xample09186a00800949c0.shtml Watch the word wrap on the URLs! Raymond -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of eric nguyen Sent: Friday, December 20, 2002 8:59 PM To: Chuck Church; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT Chuck, I did try the following: static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask 255.255.255.255 0 0 access-list 100 permit ip any any access-list 100 permit gre any any access-list 100 permit icmp any any access-group 100 in interface outside it still doesn't work. The example you provided has to do with Cisco IOS. Pix is not the same as Cisco IOS even though it comes from the same company. This is really frustrating. I feel like I am being "ripped-off" by Cisco Pix firewall (even though I am running a clone, there is no way in hell that Cisco will support it). It is really amazing that an expensive product like this one doesn't support PPTP with PAT (to my knowlegde). Even Linux firewall supports PPTP over PAT. I feel like I am hitting a brick wall here. Please help. Eric Chuck Church wrote:Eric, To get PPTP to work with PAT, you need to play with it like you do with IPSec. Check out: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e xamp le09186a00800949c0.shtml You need to statically map TCP 1723 on the outside to your inside PC, same port. At one time I thought it needed GRE, but I don't see it listed on that doc. HTH. Chuck Church CCIE #8776, MCNE, MCSE ----- Original Message ----- From: "Neil Moore" To: "eric nguyen" ; ; Sent: Friday, December 20, 2002 5:58 PM Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT > Its all broken... I will give you 500 bux for that pix ..no problem! > ---------------------------------------- > Neil Moore CCIE#10044 > ----- Original Message ----- > From: "eric nguyen" > To: ; > Sent: Friday, December 20, 2002 4:47 PM > Subject: problem with initiating PPTP connection behind a Pix Firewall via > PAT > > > > I just replace my home linux "iptables" firewall fwith a "franken" > > pix > firewall > > > > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > > > > My internal network is 172.16.1.0/24 with the "inside" interface of > > the > firewall is > > > > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. > > I > also have > > > > a "dmz" 172.17.1.0/24 network with the Pix interface IP of > > 172.17.1.254. > Machines > > > > on both the "inside" and "dmz" access the Internet via Port Address > Translation > > > > (PAT) to the "outside" interface and it seems to work OK. On the "inside" > network, > > > > I have a Websense filter server (IP 172.16.1.2) to do url filtering > > for > both the "inside" > > > > and "outside" interface. I use Websense server to filter out > > traffics > that I don't want > > > > my children to see. Everything is working great with a minor exception: > > > > I need to make a PPTP connection from a laptop on the "inside" > > network (IP > > > > 172.16.1.100) to a PPTP server at my work place. The problem is that the > > > > connection keeps timing out. The connection time out at the "verify > username and > > > > password". To make sure that this is not a problem with my laptop, I hook > my > > > > laptop directly to the cable modem (I have roadrunner). Since my > > laptop > has a valid > > > > external IP address, PPTP works. If I place the laptop on the > > "inside" > network > > > > behind the "franken" pix, PPTP doesn't work. I even make the > > firewall > "wide-open" for > > > > both inbound and outbound and it still doesn't work. Now if I > > replace the > "franken" > > > > pix firewall with a linux firewall, PPTP works just fine through IP > masquerading which > > > > is equivalent to PAT. > > > > My question is this: has anyone been able to successfully initiate a PPTP > > > > from behind a Pix firewall via Port Address Translation (PAT)? Does > > it > even work > > > > at all with PAT? I am starting to have serious doubt with Cisco Pix > firewall. It costs > > > > me $500 to build this "franken" pix firewall. With the CPU, memory > > and > flash, this > > > > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit > Interface) and it can > > > > not even do a simple thing like allowing PPTP through PAT. My linux > firewall is > > > > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just > > fine, and > it > > > > costs me $20 for that old system. > > > > I think PPTP will work with static NAT but I don't have an extra > > public IP > to spare. > > > > If anyone has PPTP works through PAT, please reply. Thanks. > > > > Eric. > > > > Here is my Pix configuration > > > > HERNDON-PIX# wr t > > > > Building configuration... > > > > : Saved > > > > : > > > > PIX Version 6.2(2) > > > > nameif ethernet0 outside security0 > > > > nameif ethernet1 inside security100 > > > > nameif ethernet2 dmz security99 > > > > nameif ethernet3 dmz2 security98 > > > > enable password ***************** encrypted > > > > passwd ********************* encrypted > > > > hostname HOME-PIX > > > > domain-name home.com > > > > clock timezone est -5 > > > > clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00 > > > > fixup protocol ftp 21 > > > > fixup protocol http 80 > > > > fixup protocol h323 h225 1720 > > > > fixup protocol h323 ras 1718-1719 > > > > fixup protocol ils 389 > > > > fixup protocol rsh 514 > > > > fixup protocol rtsp 554 > > > > fixup protocol smtp 25 > > > > fixup protocol sqlnet 1521 > > > > fixup protocol sip 5060 > > > > fixup protocol skinny 2000 > > > > names > > > > access-list compiled > > > > access-list 100 permit icmp any any > > > > access-list 100 permit ip any any > > > > access-list 100 permit gre any any > > > > access-list 101 permit ip any any > > > > access-list 101 permit icmp any any > > > > access-list 101 permit gre any any > > > > access-list 200 permit ip any any > > > > access-list 200 permit icmp any any > > > > access-list 200 permit gre any any > > > > pager lines 24 > > > > logging on > > > > logging timestamp > > > > logging monitor debugging > > > > logging trap notifications > > > > logging facility 23 > > > > logging queue 1024 > > > > logging host inside 172.16.1.2 > > > > interface ethernet0 auto > > > > interface ethernet1 100full > > > > interface ethernet2 100full > > > > interface ethernet3 100full shutdown > > > > mtu outside 1500 > > > > mtu inside 1500 > > > > mtu dmz 1500 > > > > mtu dmz2 1500 > > > > ip address outside 4.64.1.100 255.255.252.0 > > > > ip address inside 172.16.1.254 255.255.255.0 > > > > ip address dmz 172.17.1.254 255.255.255.0 > > > > ip address dmz2 127.0.0.1 255.255.255.255 > > > > ip verify reverse-path interface outside > > > > ip verify reverse-path interface inside > > > > ip audit name inside-attack attack action alarm > > > > ip audit name inside-info info action alarm > > > > ip audit interface outside inside-info > > > > ip audit interface outside inside-attack > > > > ip audit interface inside inside-info > > > > ip audit interface inside inside-attack > > > > ip audit info action alarm > > > > ip audit attack action alarm > > > > no failover > > > > failover timeout 0:00:00 > > > > failover poll 15 > > > > failover ip address outside 0.0.0.0 > > > > failover ip address inside 0.0.0.0 > > > > failover ip address dmz 0.0.0.0 > > > > failover ip address dmz2 0.0.0.0 > > > > pdm history enable > > > > arp timeout 14400 > > > > global (outside) 1 interface > > > > nat (inside) 1 172.16.1.0 255.255.255.0 0 0 > > > > nat (dmz) 1 172.17.1.0 255.255.255.0 0 0 > > > > static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0 > > > > access-group 100 in interface outside > > > > access-group 101 in interface inside > > > > access-group 200 in interface dmz > > > > route outside 0.0.0.0 0.0.0.0 4.64.1.1 1 > > > > timeout xlate 3:00:00 > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 > > h323 > 0:05:00 sip 0:30:00 sip_media 0:02:00 > > > > timeout uauth 0:05:00 absolute > > > > aaa-server TACACS+ protocol tacacs+ > > > > aaa-server RADIUS protocol radius > > > > aaa-server LOCAL protocol local > > > > url-server (inside) vendor websense host 172.16.1.2 timeout 5 > > protocol TCP > version 1 > > > > filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 > > > > ntp server 4.2.2.2 source outside > > > > ntp server 172.16.1.2 source inside > > > > http server enable > > > > http 0.0.0.0 0.0.0.0 outside > > > > http 0.0.0.0 0.0.0.0 inside > > > > snmp-server host inside 172.16.1.2 > > > > snmp-server location Home > > > > snmp-server contact Eric Nguyen > > > > snmp-server community home > > > > snmp-server enable traps > > > > tftp-server inside 172.16.1.2 / > > > > floodguard enable > > > > no sysopt route dnat > > > > telnet 0.0.0.0 0.0.0.0 inside > > > > telnet timeout 60 > > > > ssh 0.0.0.0 0.0.0.0 outside > > > > ssh 0.0.0.0 0.0.0.0 inside > > > > ssh timeout 60 > > > > terminal width 80 > > > > Cryptochecksum:9ccb719c169af814515292a4bf0a9023 > > > > : end > > > > [OK] > > > > HERNDON-PIX# > > > > > > > > --------------------------------- > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59669&t=59669 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]