Thanks, Lisa.
Always good to get a non solution. ;)
Juuuust kidding.
J-M - this doesn't look like a PIX problem, and I'd avoid screwing with it
or implying to the customer that it's the culprit - (I suspect that) you'll
just look dumb later. If you can make a successful PPTP connection and
transfer _any_ packets then the problem is almost certainly one of the NT
boxen.
Here are a few ideas...
When you make a PPTP connection, just like any VPN, it's like connecting
another network interface to your box. This means that you need to make sure
that the routes aren't screwed up, for one thing. MS thoughtfully have the
default option for PPTP set so that the PPTP connection becomes the default
route - this is often bad.
Secondly, just because you have a new interface, doesn't mean that the NT
box knows where on the new network to go to authenticate - troubleshoot this
just as a normal "can't find domain controller" problem.
Finally, I'm not sure what how you "setup NetBIOS" - do you mean NetBEUI?
AFAIK you can't talk NT _out_ of enabling NetBIOS - if you pare down your
protocols to TCP/IP it will enable NetBIOS over TCP (NetBT or NetBIOS
Transport) automatically. If you've gotten it not to, then tell me how!
One more question -
> >If I setup netbios on the VPN client (and PPTP/RAS server), users can
> >connect and authenticate and do whatever they can/allowed.
if you have a situation that works, what's the problem?
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Lisa Napier [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, 16 October 1999 10:37 AM
> To: Jean Morissette; firewalls@lists. gnac. net
> Subject: Re: MS PPTP and PIX
>
>
> Hi all,
>
> Afraid I don't have much information to help solve the
> problem. I do know
> that I've seen sites using PPTP through the PIX, both with
> and without NAT
> configured. In fact, the PIX documentation; Command
> Reference, 'Conduit
> command' has an example specific to PPTP.
>
> Apologies, I'm not sure what the other issues may be with the PPTP
> setup. But it does, and can work through the PIX.
>
> Thanks,
>
> Lisa Napier
> Product Security Incident Response Team
> Cisco Systems
>
>
> At 09:23 AM 10/15/1999 -0400, Jean Morissette wrote:
> >I am posting here because I believe my problem is at the PIX
> and something
> >about NAT!
> >
> >I was called by a client to troubleshoot this problem:
> >
> >remote user (DUN/PPTP VPN)----Internet---Cisco router----PIX
> >firewall----PPTPserver(NT 4.0 sp4) with VPN.(in a secure network)
> >
> >If I setup netbios on the VPN client (and PPTP/RAS server), users can
> >connect and authenticate and do whatever they can/allowed.
> >
> >If I use TCP/IP, users can connect but can not authenticate.
> If I look at
> >the client's TCP/IP setting (NT w/s) with ipconfig the NDISWANx (or
> >whatever) gives me an IP address with the default gateway
> equals to its own
> >IP address (ras client should get all the config from the
> RAS server (RAS is
> >setup to allow the RAS clients to get config. info from the
> DHCP server). So
> >bottom line is I can not ping inside the secure network.
> But I can ping the
> >public IP address of the PPTP server (So that would be the
> address before
> >the PIX does NAT, right??). So what is going on at the
> cisco routers or
> >PIX. I did not look at the router and PIX config, YET. The
> client is
> >supposed to have experts who manage those things, he called
> me because in
> >the past I always fixed his problems. He confirmed with me
> that GRE packets
> >and tcp port 1723 are allowed/opened.
> >
> >Any ideas?
> >
> >Jean
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
