Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 501 PPTP Remote Access Question 1

Status
Not open for further replies.
grasscutter

grasscutter

Technical User
Jul 26, 2006
10
GB
Hello There,

I have set up my pix 501 as shown below and smtp and rdp connections work but a cannot get the pptp for otlook webaccess or remote microsoft vpn connections.
This is confusing for me since when i show the access-lists i get a hit count which suggests that access is getting through to the PIX but not the server as shown below...

pixfirewall# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list acl_out; 5 elements
access-list acl_out line 1 permit icmp any any (hitcnt=2498)
access-list acl_out line 2 permit tcp any host 217.46.235.185 eq smtp (hitcnt=956)
access-list acl_out line 3 permit tcp any host 217.46.235.185 eq access-list acl_out line 4 permit tcp any host 217.46.235.185 eq 3389 (hitcnt=50)
access-list acl_out line 5 permit tcp any host 217.46.235.185 eq pptp (hitcnt=6)
access-list acl_inside; 3 elements
access-list acl_inside line 1 permit tcp any any (hitcnt=16637)
access-list acl_inside line 2 permit udp any any (hitcnt=47252)
access-list acl_inside line 3 permit ip any any (hitcnt=4643)

....The full config is show below, any help to get pptp services running would be much appreaited.

Regards,

Grasscutter...

: Saved
: Written by enable_15 at 10:28:40.917 UTC Wed Aug 23 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 217.xx.xx.185 eq smtp
access-list acl_out permit tcp any host 217.xx.xx.185 eq www
access-list acl_out permit tcp any host 217.xx.xx.185 eq 3389
access-list acl_out permit tcp any host 217.xx.xx.185 eq pptp
access-list acl_inside permit tcp any any
access-list acl_inside permit udp any any
access-list acl_inside permit ip any any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 217.xx.xx.185 255.255.255.248
ip address inside 192.168.254.99 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 217.xx.xx.186 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 217.xx.xx.185 192.168.254.166 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 217.xx.xx.190 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:327ff19adb031f8b35c3ce974200d36d
: end
 
Sort by date Sort by votes
If you are getting hits on that component of the ACL then traffic is going through, I would double check the server. If it is 2003, you can have it only respond to specific ports based on source IP/subnet. You might have accidentally turned this on (check under firewall exceptions and I think it is under an advanced button.)

This ACL
access-list acl_inside permit tcp any any
access-list acl_inside permit udp any any
access-list acl_inside permit ip any any
Doesn't really do anything for you - I would just take it off for now.

As a final test, put a sniffer (ethereal) internally and see what is coming out the PIX and where it is going.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Many Thanks Supergrrover,

This is a great help.

I was given a range of addresses i could use from the ISP 217.xx.xx.185 255.255.255.248 meaning subnet 184 and checking their MX record i could see 185 was their exchange server.

So initially i set my outside ip address as 185 and used global nat set to 185 as well....i.e

ip address outside 217.xx.xx.185 255.255.255.248
global (outside) 1 217.xx.xx.185 netmask 255.255.255.248

access-list acl_out permit tcp any host 217.xx.xx.185 eq smtp
access-list acl_out permit tcp any host 217.xx.xx.185 eq www
access-list acl_out permit tcp any host 217.xx.xx.185 eq 3389
access-list acl_out permit tcp any host 217.xx.xx.185 eq pptp

...this stopped intenet web access but seemed to work for email inbound and outbound. Only when i set the global address to 186 did email and internet access start working....i.e

ip address outside 217.xx.xx.185 255.255.255.248
global (outside) 1 217.xx.xx.186 netmask 255.255.255.248

access-list acl_out permit tcp any host 217.xx.xx.185 eq smtp
access-list acl_out permit tcp any host 217.xx.xx.185 eq www
access-list acl_out permit tcp any host 217.xx.xx.185 eq 3389
access-list acl_out permit tcp any host 217.xx.xx.185 eq pptp

...Could anyone explain why this is?

And also could i use my other external addresses such as 187, 188 and 189 for static translations to other servers?

Any help would be greatly appreaited.

Regards,

Grasscutter.
 
Upvote 0 Downvote
You can use the other IPs in your subnet for other servers.
Either by using directing all traffic from the external IP to the Internal IP or by using policy NAT - only certain ports of external IPs go to certai ports of internal IPs
static (inside,outside) tcp 217.xx.xx.185 [port#] 192.168.254.166 [port#] netmask 255.255.255.255 0 0

When you
ip address outside 217.xx.xx.185 255.255.255.248
global (outside) 1 217.xx.xx.185 netmask 255.255.255.248
static (inside,outside) 217.xx.xx.185 192.168.254.166 netmask 255.255.255.255 0 0

The Static overrides the global/NAT pair. It sends all traffic to the internal IP listed in the static (192.168.254.166.)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
848
intel233
intel233
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
211
xwray
xwray
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
777
nnaarrnn
nnaarrnn
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
220
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top