Thanks anyway, there is enough info. for me to look into the PIX config.
Time is on my side. When the client can't get his PIX expert to fix the
problem, I will ask him to get into the PIX config.
thanks
Jean.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Lisa Napier
> Sent: Friday, October 15, 1999 9:07 PM
> To: Jean Morissette; firewalls@lists. gnac. net
> Subject: Re: MS PPTP and PIX
>
>
> Hi all,
>
> Afraid I don't have much information to help solve the problem.
> I do know
> that I've seen sites using PPTP through the PIX, both with and
> without NAT
> configured. In fact, the PIX documentation; Command Reference, 'Conduit
> command' has an example specific to PPTP.
>
> Apologies, I'm not sure what the other issues may be with the PPTP
> setup. But it does, and can work through the PIX.
>
> Thanks,
>
> Lisa Napier
> Product Security Incident Response Team
> Cisco Systems
>
>
> At 09:23 AM 10/15/1999 -0400, Jean Morissette wrote:
> >I am posting here because I believe my problem is at the PIX and
> something
> >about NAT!
> >
> >I was called by a client to troubleshoot this problem:
> >
> >remote user (DUN/PPTP VPN)----Internet---Cisco router----PIX
> >firewall----PPTPserver(NT 4.0 sp4) with VPN.(in a secure network)
> >
> >If I setup netbios on the VPN client (and PPTP/RAS server), users can
> >connect and authenticate and do whatever they can/allowed.
> >
> >If I use TCP/IP, users can connect but can not authenticate. If
> I look at
> >the client's TCP/IP setting (NT w/s) with ipconfig the NDISWANx (or
> >whatever) gives me an IP address with the default gateway equals
> to its own
> >IP address (ras client should get all the config from the RAS
> server (RAS is
> >setup to allow the RAS clients to get config. info from the DHCP
> server). So
> >bottom line is I can not ping inside the secure network. But I
> can ping the
> >public IP address of the PPTP server (So that would be the address before
> >the PIX does NAT, right??). So what is going on at the cisco routers or
> >PIX. I did not look at the router and PIX config, YET. The client is
> >supposed to have experts who manage those things, he called me because in
> >the past I always fixed his problems. He confirmed with me that
> GRE packets
> >and tcp port 1723 are allowed/opened.
> >
> >Any ideas?
> >
> >Jean
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
