Eric,
According to Cisco's recomendations you should do following steps:
1. Create static address translation for your laptop:
static (inside,outside)
netmask 255.255.255.255 0 0
2. Configure access-list to permit GRE (you have it enabled for ALLALL,
but it may be better idea to permit only for specific hosts:
access-list acl-out permit gre host host
3. Apply Access-List to Interface (you have it done).
access-group acl-out in interface outside
So, all what you should do - create static NAT Translation for your laptop.
Good luck,
Michael Shavrov
----- Original Message -----
From: "eric nguyen"
To: ;
Sent: Friday, December 20, 2002 4:47 PM
Subject: problem with initiating PPTP connection behind a Pix Firewall via
PAT
> I just replace my home linux "iptables" firewall fwith a "franken" pix
firewall
> (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1).
> My internal network is 172.16.1.0/24 with the "inside" interface of the
firewall is
> 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. I
also have
> a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254.
Machines
> on both the "inside" and "dmz" access the Internet via Port Address
Translation
> (PAT) to the "outside" interface and it seems to work OK. On the "inside"
network,
> I have a Websense filter server (IP 172.16.1.2) to do url filtering for
both the "inside"
> and "outside" interface. I use Websense server to filter out traffics
that I don't want
> my children to see. Everything is working great with a minor exception:
> I need to make a PPTP connection from a laptop on the "inside" network (IP
> 172.16.1.100) to a PPTP server at my work place. The problem is that the
> connection keeps timing out. The connection time out at the "verify
username and
> password". To make sure that this is not a problem with my laptop, I hook
my
> laptop directly to the cable modem (I have roadrunner). Since my laptop
has a valid
> external IP address, PPTP works. If I place the laptop on the "inside"
network
> behind the "franken" pix, PPTP doesn't work. I even make the firewall
"wide-open" for
> both inbound and outbound and it still doesn't work. Now if I replace the
"franken"
> pix firewall with a linux firewall, PPTP works just fine through IP
masquerading which
> is equivalent to PAT.
>
> My question is this: has anyone been able to successfully initiate a PPTP
> from behind a Pix firewall via Port Address Translation (PAT)? Does it
even work
> at all with PAT? I am starting to have serious doubt with Cisco Pix
firewall. It costs
> me $500 to build this "franken" pix firewall. With the CPU, memory and
flash, this
> "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit
Interface) and it can
> not even do a simple thing like allowing PPTP through PAT. My linux
firewall is
> running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine, and
it
> costs me $20 for that old system.
> I think PPTP will work with static NAT but I don't have an extra public IP
to spare.
> If anyone has PPTP works through PAT, please reply. Thanks.
>
> Eric.
>
> Here is my Pix configuration
>
> HERNDON-PIX# wr t
> Building configuration...
> : Saved
> :
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security99
> nameif ethernet3 dmz2 security98
> enable password ***************** encrypted
> passwd ********************* encrypted
>
> hostname HOME-PIX
> domain-name home.com
>
> clock timezone est -5
> clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00
>
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
>
> names
>
> access-list compiled
> access-list 100 permit icmp any any
> access-list 100 permit ip any any
> access-list 100 permit gre any any
>
> access-list 101 permit ip any any
> access-list 101 permit icmp any any
> access-list 101 permit gre any any
>
> access-list 200 permit ip any any
> access-list 200 permit icmp any any
> access-list 200 permit gre any any
>
> pager lines 24
>
> logging on
> logging timestamp
> logging monitor debugging
> logging trap notifications
> logging facility 23
> logging queue 1024
> logging host inside 172.16.1.2
>
> interface ethernet0 auto
> interface ethernet1 100full
> interface ethernet2 100full
> interface ethernet3 100full shutdown
>
> mtu outside 1500
> mtu inside 1500
> mtu dmz 1500
> mtu dmz2 1500
> ip address outside 4.64.1.100 255.255.252.0
> ip address inside 172.16.1.254 255.255.255.0
> ip address dmz 172.17.1.254 255.255.255.0
> ip address dmz2 127.0.0.1 255.255.255.255
> ip verify reverse-path interface outside
> ip verify reverse-path interface inside
> ip audit name inside-attack attack action alarm
> ip audit name inside-info info action alarm
> ip audit interface outside inside-info
> ip audit interface outside inside-attack
> ip audit interface inside inside-info
> ip audit interface inside inside-attack
> ip audit info action alarm
> ip audit attack action alarm
>
> no failover
> failover timeout 0:00:00
> failover poll 15
> failover ip address outside 0.0.0.0
> failover ip address inside 0.0.0.0
> failover ip address dmz 0.0.0.0
> failover ip address dmz2 0.0.0.0
>
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 172.16.1.0 255.255.255.0 0 0
> nat (dmz) 1 172.17.1.0 255.255.255.0 0 0
> static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0
> access-group 100 in interface outside
> access-group 101 in interface inside
> access-group 200 in interface dmz
> route outside 0.0.0.0 0.0.0.0 4.64.1.1 1
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> url-server (inside) vendor websense host 172.16.1.2 timeout 5 protocol TCP
version 1
> filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> ntp server 4.2.2.2 source outside
> ntp server 172.16.1.2 source inside
> http server enable
> http 0.0.0.0 0.0.0.0 outside
>
> http 0.0.0.0 0.0.0.0 inside
>
> snmp-server host inside 172.16.1.2
> snmp-server location Home
> snmp-server contact Eric Nguyen
> snmp-server community home
> snmp-server enable traps
> tftp-server inside 172.16.1.2 /
> floodguard enable
> no sysopt route dnat
> telnet 0.0.0.0 0.0.0.0 inside
> telnet timeout 60
> ssh 0.0.0.0 0.0.0.0 outside
> ssh 0.0.0.0 0.0.0.0 inside
> ssh timeout 60
> terminal width 80
> Cryptochecksum:9ccb719c169af814515292a4bf0a9023
> : end
> [OK]
>
> HERNDON-PIX#
>
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59662&t=59662
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
