Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Donate Today!

Do you enjoy these
technical forums?
Donate Today! Click Here

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Do I need to enable GRE protocol port ?Helpful Member! 

glory3321 (IS/IT--Management)
21 Aug 01 4:36
Do I need to enable the "fixup protocol gre 47" to enable the PPTP using microsoft windows 98 and Windows 2000 client ?
Helpful Member!  Bluecrack (MIS)
21 Aug 01 22:39
Actually, there is no "fixup protocol gre 47" to my knowledge.  Either way, you do not need it.

Bluecrack
glory3321 (IS/IT--Management)
21 Aug 01 22:53
BlueCrack,


Thanks for responding bluecarck,  yes my mistake.

Can you comment on this :

My internal network IP is 192.168.25.0 255.255.255.0
I set my PPTP local IP pool to 192.168.25.101 - 192.168.25.115.

Is this fine assigning the PPTP pool with the same subnet of my internal network.  Maybe this is the problem with the routing why I cannot ping the Internal network in the PPTP connection.


any comment ?



glory3321 (IS/IT--Management)
23 Aug 01 8:05
Hello BlueCrack,


I noticed in the console logging file,  it seems it does not allow to ping internally.  Here is the log of the PIX.

106010: Deny inbound icmp src outside:192.168.20.150 dst inside:192.168.25.81 (t ype 8, code 0)
106011: Deny inbound (No xlate) tcp src outside:192.168.20.150/1237 dst outside


Here is the only access-list that I define from PIX

access-list japvpn permit ip 192.168.0.0 255.255.0.0 130.2.0.0 255.255.0.0


The Nat I define is
nat (inside) 0 access-list japvpn

Conduit permit icmp any any

ip local pool pptp-pool 192.168.20.150-192.168.20.159


Everything seems to be fine,  including login,  internal network can view the PPTP client.

However PPTP client cannot ping the Internal network,  beign block by PIX.  Is there away to allow PPTP client to ping and access the resource of internal network.

What comamnd shall i used ?

Thanks

Glory3321




Bluecrack (MIS)
23 Aug 01 16:36
The only other thing I can remember doing is adding an access-list to nat 0.

access-list pptp-list permit ip any host 192.168.20.150
access-list pptp-list permit ip any host 192.168.20.151
access-list pptp-list permit ip any host 192.168.20.152
access-list pptp-list permit ip any host 192.168.20.153
access-list pptp-list permit ip any host 192.168.20.154
access-list pptp-list permit ip any host 192.168.20.155
access-list pptp-list permit ip any host 192.168.20.156
access-list pptp-list permit ip any host 192.168.20.157
access-list pptp-list permit ip any host 192.168.20.158
access-list pptp-list permit ip any host 192.168.20.159
nat (inside) 0 access-list pptp-list

That should prevent packets from internal hosts from being nated when they go to the VPN users.

What version of the PIX software are you running?
Bluecrack
glory3321 (IS/IT--Management)
27 Aug 01 4:54
HI Bluecrack,


I add the above configuration but still no luck !,

Do I need to add a route inside command such as

route inside 192.168.30.0 255.255.255.0 192.168.25.1 1

Where 192.168.25.1 is the router.

Thanks !

 
Bluecrack (MIS)
27 Aug 01 18:11
Let's backup a step.  Is the problem: the vpn connection is not established?  Or is the problem:  once the vpn connectionis established, the vpn user cannot hit any server inside your network?

I believe the problem is the later.  If so, then you will need routes on the PIX to any subnet behind a router internally.  More importantly though you need to be able to get those packets past the firewall.

You said you added the access-list and the nat 0 statement.  What do the logs say now when a user connects and trys to hit a server inside the network?

Bluecrack
glory3321 (IS/IT--Management)
28 Aug 01 6:55
Hi BlueCrack,

After Adding the acces-list,  it still give me the same error.  PIX is not permitting 106010: Deny inbound icmp src outside.

Below is the config of my PIX firewall, I manage to connect VPN though PIX to PIX.  But for PPTP I still cannot make it work.

Although PPTP client (Windows client) can login to PIX however PPTP client cannot still hit any internal server or client.  BElow is my config.. maybe I still miss something in the access-list.

PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UMoJELdsuEIrsLkv encrypted
passwd DZ0dwapx1vD4rfD8 encrypted

hostname Pix506
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol domain 25
fixup protocol http 8080

names
access-list testvpn permit ip 192.168.0.0 255.255.255.0 130.2.0.0 255.255.0.0
access-list testvpn permit ip any host 192.168.30.100
access-list testvpn permit ip any host 192.168.30.101
access-list testvpn permit ip any host 192.168.30.103


no logging on
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500

ip address outside x.x.x.x x.x.x.x
ip address inside 192.168.25.56 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.30.100-192.168.30.110
arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 0 access-list testvpn
nat (inside) 1 192.168.25.0 255.255.255.0 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0

conduit permit icmp any any
conduit permit gre any any
rip inside default version 1

route outside 0.0.0.0 0.0.0.0 x.x.x.x
route inside 192.167.30.0 255.255.255.0 192.168.25.1 1
route inside 192.168.50.0 255.255.255.0 192.168.25.1 1
route inside 192.168.75.0 255.255.255.0 192.168.25.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact

snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat

crypto ipsec transform-set set1 esp-des esp-md5-hmac
crypto map vpn-traffic 10 ipsec-isakmp
crypto map vpn-traffic 10 match address testvpn
crypto map vpn-traffic 10 set peer x.x.x.x
crypto map vpn-traffic 10 set transform-set set1
crypto map vpn-traffic interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 3600

telnet 192.168.25.0 255.255.255.0 inside
telnet 130.2.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5

vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication local
vpdn username xxxxxx
vpdn username xxxxxx
vpdn enable outside
terminal width 80
Cryptochecksum:489c591cedc1dc94e1034f5cc2976440
: end
[OK]
Pix506jpn#


Bluecrack (MIS)
28 Aug 01 10:54
First, I noticed a few things in the config.

1.  What do you have two NAT 1 statements that let the same traffic out?  I would assume you could remove the first one and leave 'nat (inside) 1 192.168.0.0 255.255.0.0'.

2.  Is this statement correct?  'route inside 192.167.30.0 255.255.255.0 192.168.25.1 1'  Based on all your other routes I would assume you are using 192.168.x.x internally.

Next,  I think the access-list testvpn may need to be changed.  Try creating a new list like the following:

access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 host 192.168.30.100
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 host 192.168.30.101
etc.

Then bind this access list to the NAT 0 statement.  This way you can save your other access-list while you test.  This access-list should permit vpn clients to hit hosts on the 192.168.25.x/24 subnet.  You will need to add entries in the ACL to allow access to/from hosts on other subnets.

Finally,  If you are using 192.168.30.x inside somewhere then you should change the VPN clients to use something else, perhaps 192.168.31.x/24

I hope this helps.  I will check my pix 5.3(1) config when I get to work and compare it with yours.

Bluecrack
Bluecrack (MIS)
31 Aug 01 9:59
Glory3321

Sorry for the delay.  I've had some problems at work I had to deal with.  When I ran the pptp protocol I had the following setup.  (note:  I modified the addressing to use the 192.168.30.x network as you have)

ip local pool pptp-pool 192.168.30.100-192.168.30.109
access-list pptpvpn permit ip any hos 192.168.30.100
access-list pptpvpn permit ip any hos 192.168.30.101
access-list pptpvpn permit ip any hos 192.168.30.102
access-list pptpvpn permit ip any hos 192.168.30.103
access-list pptpvpn permit ip any hos 192.168.30.104
access-list pptpvpn permit ip any hos 192.168.30.105
access-list pptpvpn permit ip any hos 192.168.30.106
access-list pptpvpn permit ip any hos 192.168.30.107
access-list pptpvpn permit ip any hos 192.168.30.108
access-list pptpvpn permit ip any hos 192.168.30.109
nat 0 (inside) access-list pptpvpn
aaa-server myradius protocol radius
aaa-server myradius (inside) host x.x.x.x pwd timeout 5
aaa-server myradius (inside) host y.y.y.y pwd timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40 required
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns x.x.x.x y.y.y.y
vpdn group 1 client authentication aaa myradius
vpdn enable outside
sysopt connection permit-pptp


Hope this helps.

Bluecrack
glory3321 (IS/IT--Management)
1 Sep 01 8:15
Hi BlueCrack !,

Thanks for your help.. It works by applying the pptpvpn to nat 0.


But my existing nat 0 is being used by another VPN connection which is PIX to PIX connection,  which is operational and functioning very well.

Can I bind two access-list in nat 0 ( pptpvpn and japvpn) ?

Is there another way on how to bind pptpvpn aside from nat 0 ?

Thanks !
Bluecrack (MIS)
2 Sep 01 15:04
I am not aware of any way to bind two access-lists to NAT 0.  However you can put the statements from both access-lists together in one access-list and bind it that to NAT 0.  

Bluecrack
glory3321 (IS/IT--Management)
3 Sep 01 21:50
Hi Bluecrack !,

How are you lately,  first of all you are very helpfull indeed in solving my problem in PIX.  I think this will be my last question on this problem to solve it.

HOw can I combind these two access-list in one access-list and bind it to NAT 0

access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 130.2.0.0 255.255.0.0


access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 192.168.30.0 255.255.255.0


thanks !

glory3321
Bluecrack (MIS)
5 Sep 01 19:43
I've been really busy.

You should be able to take the statments from both access-lists and put them both in one access-list.  Then use that access-list to the NAT 0 statement.  It looks like you've got.




access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 130.2.0.0 255.255.0.0
access-list pptpvpn permit ip 192.168.25.0 255.255.255.0 192.168.30.0 255.255.255.0
nat 0 (inside) access-list pptpvpn

That should do the trick.  I don't know of any problems with this.  NAT 0 with the access-list command should just not NAT the traffic specified the the access-lists.

Bluecrack

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close