Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PAT on outside interface not working.. 1

Status
Not open for further replies.
dflanagan

dflanagan

MIS
Oct 5, 2001
115
US
Hey,
Not sure if there are underlying issues with what I am trying to do or not, but here goes:

I am trying to get a user who is behind our PIX 515 (v6.2) to be able use Microsoft VPN software (standard dialup networking on Windows XP) to get a VPN session going with a Watchguard firewall. I cannot seem to get it connected.

When reviewing the Watchguard site for details, they indicate that port 1723 TCP traffic must be open, and port 47 IP (I assume this means udp) must be open.

I issued these commands to the PIX:

static (inside,outside) udp interface 47 10.17.9.99 47 netmask 255.255.255.255

static (inside,outside) tcp interface 1723 10.17.9.99 1723 netmask 255.255.255.255

I have tried NUMEROUS access-list commands, and none work... What access-list commands do I need?

I do already have the access-group command in place, and all of my other access-list 100 commands work for other internal resources, etc.

Thanks!
Dave
 
Sort by date Sort by votes
In my experience, port redirection and PAT play havoc with many client based VPNs. So I believe you're going to have to use a one-to-one static mapping to make this work--and you can't do that with the Outside interface, unless you want to kill the Internet for all but that machine.
I don't know how many external IPs you have to work with, but try mapping an external IP--other than the Interface--to the internal PC (10.17.9.99) and changing your ACL statements accordingly.

Roland

What's ADD again?
 
Upvote 0 Downvote
I was thinking that too... I will give it a shot tomorrow at work. Thanks!

Dave
 
Upvote 0 Downvote
It's not port 47. It's protocol 47, which is GRE. This is neither TCP or UDP. So the client is presumably making a PPTP connection to the Watchguard box.

Have a read of this, it tells you everything you need to know.


CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Oh yeah.. THIS is going to do it! Thanks for the link, this is EXACTLY what I am trying to do. I will give it a go tomorrow at work.

Thanks!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
262
disturbedone
disturbedone
ttrsux
  • Locked
  • Question
Error opening IKE port 4500 on Interface outside
Replies
0
Views
378
ttrsux
ttrsux
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
307
PauS0n
PauS0n
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
296
mcisar
mcisar

Part and Inventory Search

Sponsor

Back
Top