Eric,
I just checked it with an ACL. GRE is used incoming from a PPTP server,
at least from my work PIX it does. But the trick is getting the incoming GRE
(with a destination of your PATing PIX) to the client inside. Can you try
putting a 1-to-1 static from the PIX address pointing to the inside client?
I
don't have a PIX here to try it. I think anything then without a translation
will be sent to your inside client. But it's not really the PIX's fault.
What you're trying to do is PAT a protocol that for the most part is
incompatible with it. Give it a shot.
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: eric nguyen
To: Chuck Church ; [EMAIL PROTECTED] ; [EMAIL PROTECTED]
Sent: Friday, December 20, 2002 9:59 PM
Subject: Re: problem with initiating PPTP connection behind a Pix Firewall
via PAT
Chuck,
I did try the following:
static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask
255.255.255.255 0 0
access-list 100 permit ip any any
access-list 100 permit gre any any
access-list 100 permit icmp any any
access-group 100 in interface outside
it still doesn't work. The example you provided has to do with Cisco IOS.
Pix is
not the same as Cisco IOS even though it comes from the same company.
This is really frustrating. I feel like I am being "ripped-off" by Cisco
Pix
firewall
(even though I am running a clone, there is no way in hell that Cisco will
support
it). It is really amazing that an expensive product like this one doesn't
support
PPTP with PAT (to my knowlegde). Even Linux firewall supports PPTP over
PAT.
I feel like I am hitting a brick wall here. Please help.
Eric
Chuck Church wrote:
Eric,
To get PPTP to work with PAT, you need to play with it like you do with
IPSec. Check out:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_ex
amp
le09186a00800949c0.shtml
You need to statically map TCP 1723 on the outside to your inside PC,
same
port. At one time I thought it needed GRE, but I don't see it listed on
that doc. HTH.
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: "Neil Moore"
To: "eric nguyen" ; ;
Sent: Friday, December 20, 2002 5:58 PM
Subject: Re: problem with initiating PPTP connection behind a Pix
Firewall
via PAT
> Its all broken... I will give you 500 bux for that pix ..no problem!
> ----------------------------------------
> Neil Moore CCI! E#10044
> ----- Original Message -----
> From: "eric nguyen"
> To: ;
> Sent: Friday, December 20, 2002 4:47 PM
> Subject: problem with initiating PPTP connection behind a Pix Firewall
via
> PAT
>
>
> > I just replace my home linux "iptables" firewall fwith a "franken"
pix
> firewall
> >
> > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM
2.1(1).
> >
> > My internal network is 172.16.1.0/24 with the "inside" interface of
the
> firewall is
> >
> > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100.
I
> also have
> >
> > a "dmz" 172.17.1.0/24 network with the Pix interface IP of
172.17.1.254.
> Machines
> >
> > on both the "inside" and "dmz" access the Internet via Port Address
> Translation> >
> > (PAT) to the "outside" interface and it seems to work OK. On the
"inside"
> network,
> >
> > I have a Websense filter server (IP 172.16.1.2) to do url filtering
for
> both the "inside"
> >
> > and "outside" interface. I use Websense server to filter out traffics
> that I don't want
> >
> > my children to see. Everything is working great with a minor
exception:
> >
> > I need to make a PPTP connection from a laptop on the "inside"
network
(IP
> >
> > 172.16.1.100) to a PPTP server at my work place. The problem is that
the
> >
> > connection keeps timing out. The connection time out at the "verify
> username and
> >
> > password". To make sure that this is not a problem with my laptop, I
hook
> my
> >
> > laptop directly to the cable modem (I have roadrunner). Since m! y
laptop
> has a valid
> >
> > external IP address, PPTP works. If I place the laptop on the
"inside"
> network
> >
> > behind the "franken" pix, PPTP doesn't work. I even make the firewall
> "wide-open" for
> >
> > both inbound and outbound and it still doesn't work. Now if I replace
the
> "franken"
> >
> > pix firewall with a linux firewall, PPTP works just fine through IP
> masquerading which
> >
> > is equivalent to PAT.
> >
> > My question is this: has anyone been able to successfully initiate a
PPTP
> >
> > from behind a Pix firewall via Port Address Translation (PAT)? Does
it
> even work
> >
> > at all with PAT? I am starting to have serious doubt with Cisco Pix
> firewall. It costs
> >
> > me $500 to build this "franken" pix firewall. With the CPU, memory
and> flash, this
> >
> > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit
> Interface) and it can
> >
> > not even do a simple thing like allowing PPTP through PAT. My linux
> firewall is
> >
> > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine,
and
> it
> >
> > costs me $20 for that old system.
> >
> > I think PPTP will work with static NAT but I don't have an extra
public
IP
> to spare.
> >
> > If anyone has PPTP works through PAT, please reply. Thanks.
> >
> > Eric.
> >
> > Here is my Pix configuration
> >
> > HERNDON-PIX# wr t
> >
> > Building configuration...
> >
> > : Saved
> >
> > :
> >
> > PIX Version 6.2(2)
> >
> > nameif ethernet0 outside security0> >
> > nameif ethernet1 inside security100
> >
> > nameif ethernet2 dmz security99
> >
> > nameif ethernet3 dmz2 security98
> >
> > enable password ***************** encrypted
> >
> > passwd ********************* encrypted
> >
> > hostname HOME-PIX
> >
> > domain-name home.com
> >
> > clock timezone est -5
> >
> > clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00
> >
> > fixup protocol ftp 21
> >
> > fixup protocol http 80
> >
> > fixup protocol h323 h225 1720
> >
> > fixup protocol h323 ras 1718-1719
> >
> > fixup protocol ils 389
> >
> > fixup protocol rsh 514
> >
> > fixup protocol rtsp 554
> >
> > fixup protocol smtp 25
> >
> > fixup protocol! sqlnet 1521
> >
> > fixup protocol sip 5060
> >
> > fixup protocol skinny 2000
> >
> > names
> >
> > access-list compiled
> >
> > access-list 100 permit icmp any any
> >
> > access-list 100 permit ip any any
> >
> > access-list 100 permit gre any any
> >
> > access-list 101 permit ip any any
> >
> > access-list 101 permit icmp any any
> >
> > access-list 101 permit gre any any
> >
> > access-list 200 permit ip any any
> >
> > access-list 200 permit icmp any any
> >
> > access-list 200 permit gre any any
> >
> > pager lines 24
> >
> > logging on
> >
> > logging timestamp
> >
> > logging monitor debugging
> >
> > logging trap notifications
> >
&g! t; > logging facility 23
> >
> > logging queue 1024
> >
> > logging host inside 172.16.1.2
> >
> > interface ethernet0 auto
> >
> > interface ethernet1 100full
> >
> > interface ethernet2 100full
> >
> > interface ethernet3 100full shutdown
> >
> > mtu outside 1500
> >
> > mtu inside 1500
> >
> > mtu dmz 1500
> >
> > mtu dmz2 1500
> >
> > ip address outside 4.64.1.100 255.255.252.0
> >
> > ip address inside 172.16.1.254 255.255.255.0
> >
> > ip address dmz 172.17.1.254 255.255.255.0
> >
> > ip address dmz2 127.0.0.1 255.255.255.255
> >
> > ip verify reverse-path interface outside
> >
> > ip verify reverse-path interface inside
> >
> > ip audit name inside-attack attack ac! tion alarm
> >
> > ip audit name inside-info info action alarm
> >
> > ip audit interface outside inside-info
> >
> > ip audit interface outside inside-attack
> >
> > ip audit interface inside inside-info
> >
> > ip audit interface inside inside-attack
> >
> > ip audit info action alarm
> >
> > ip audit attack action alarm
> >
> > no failover
> >
> > failover timeout 0:00:00
> >
> > failover poll 15
> >
> > failover ip address outside 0.0.0.0
> >
> > failover ip address inside 0.0.0.0
> >
> > failover ip address dmz 0.0.0.0
> >
> > failover ip address dmz2 0.0.0.0
> >
> > pdm history enable
> >
> > arp timeout 14400
> >
> > global (outside) 1 interface
> >
> &! gt; nat (inside) 1 172.16.1.0 255.255.255.0 0 0
> >
> > nat (dmz) 1 172.17.1.0 255.255.255.0 0 0
> >
> > static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0
> >
> > access-group 100 in interface outside
> >
> > access-group 101 in interface inside
> >
> > access-group 200 in interface dmz
> >
> > route outside 0.0.0.0 0.0.0.0 4.64.1.1 1
> >
> > timeout xlate 3:00:00
> >
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> >
> > timeout uauth 0:05:00 absolute
> >
> > aaa-server TACACS+ protocol tacacs+
> >
> > aaa-server RADIUS protocol radius
> >
> > aaa-server LOCAL protocol local
> >
> > url-server (inside) vendor websense host 172.16.1.2 timeout 5
protocolTCP
> version 1
> >
> > filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> >
> > ntp server 4.2.2.2 source outside
> >
> > ntp server 172.16.1.2 source inside
> >
> > http server enable
> >
> > http 0.0.0.0 0.0.0.0 outside
> >
> > http 0.0.0.0 0.0.0.0 inside
> >
> > snmp-server host inside 172.16.1.2
> >
> > snmp-server location Home
> >
> > snmp-server contact Eric Nguyen
> >
> > snmp-server community home
> >
> > snmp-server enable traps
> >
> > tftp-server inside 172.16.1.2 /
> >
> > floodguard enable
> >
> > no sysopt route dnat
> >
> > telnet 0.0.0.0 0.0.0.0 inside
> >
> > telnet timeout 60
> >
> > ssh 0.0.0.0 0.0.0.0 outside
> >
> > ssh 0.0.0.0 ! 0.0.0.0 inside
> >
> > ssh timeout 60
> >
> > terminal width 80
> >
> > Cryptochecksum:9ccb719c169af814515292a4bf0a9023
> >
> > : end
> >
> > [OK]
> >
> > HERNDON-PIX#
> >
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now
-----------------------------------------------------------------------------
-
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59672&t=59672
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
