I would like to establish a PPTP VPN from behind a Pix firewall ver 6.3 to a Windows 2003 RAS server.
I have enabled 1723 and 47 with a static statement and an access list. Re-applied the access group. I am not sure what I am missing. If you notice my config, my ftp and 8080 work great. The PPTP source is on a system is running on the inside network. I set up PPTP in my object group. Do I need UDP too? I am pretty sure my static statement is wrong, but cannot find the correct syntax. Here is that attempt:
access-list outside_access_in permit tcp any any eq 1723
access-list outside_access_in permit gre any any
static (inside,outside) tcp interface 1723 xxxxxxxxxx 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 47 xxxxxxxxxx 47 netmask 255.255.255.255 0 0
Below is the config:
"Only the dead fish follow the stream"
I have enabled 1723 and 47 with a static statement and an access list. Re-applied the access group. I am not sure what I am missing. If you notice my config, my ftp and 8080 work great. The PPTP source is on a system is running on the inside network. I set up PPTP in my object group. Do I need UDP too? I am pretty sure my static statement is wrong, but cannot find the correct syntax. Here is that attempt:
access-list outside_access_in permit tcp any any eq 1723
access-list outside_access_in permit gre any any
static (inside,outside) tcp interface 1723 xxxxxxxxxx 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 47 xxxxxxxxxx 47 netmask 255.255.255.255 0 0
Below is the config:
Code:
pix# wr t
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 DMZ2 security50
enable password ixxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname xxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
object-group service general-outbound tcp
description outbound tcp ports alllowed for internal clients
port-object eq whois
port-object eq 8080
port-object eq h323
port-object eq telnet
port-object eq domain
port-object eq 81
port-object eq smtp
port-object eq ssh
port-object eq ftp-data
port-object eq pop3
port-object eq 3389
port-object eq pptp
port-object eq ldap
port-object eq ftp
port-object eq nntp
port-object eq www
port-object eq https
port-object eq echo
object-group service general-outbound-udp udp
description outound udp ports for internal clients
port-object eq pcanywhere-status
port-object eq echo
port-object eq 10000
port-object eq isakmp
port-object eq ntp
port-object eq 4500
port-object eq domain
access-list nonat permit ip any xxxxxxxxxxxx255.255.255.xxx
access-list outside_cryptomap_dyn_40 permit ip any xxxxxxxxxxxxxxx 255.255.255.xxx
access-list inside_access_out permit tcp xxxxxxxxxx 255.255.255.0 any object-group general-outbound
access-list inside_access_out permit udp xxxxxxxxxx 255.255.255.0 any object-group general-outbound-udp
access-list inside_access_out permit icmp any any echo-reply
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 8080
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq 1723
access-list outside_access_in permit gre any any
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside xxxxxxxxxxx
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu DMZ2 1500
ip address outside dhcp setroute
ip address inside xxxxxxxxxx 255.255.255.0
ip address DMZ1 xxxxxxxxxxxx 255.255.255.0
ip address DMZ2 xxxxxxxxxxx 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm drop
ip audit signature 2000 disable
ip local pool testPool xxxxxxxxxxxxxxxxxxxxxxxxxxx mask 255.255.255.0
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ1
no failover ip address DMZ2
arp timeout 14400
global (outside) 1 interface
global (DMZ1) 1 172.16.1.254
global (DMZ2) 1 172.16.2.254
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 xxxxxxxxxx 255.255.255.0 0 0
nat (DMZ2) 1 xxxxxxxxxx255.255.255.0 0 0
static (DMZ1,outside) tcp interface ftp xxxxxxxxxx ftp netmask 255.255.255.255 0 0
static (DMZ1,outside) tcp interface 8080 xxxxxxxxx 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1723 xxxxxxxxxx 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 47 xxxxxxxxxx 47 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server xxxxxxxxxxxx source outside prefer
http server enable
http xxxxxxxxxx 255.255.255.0 inside
snmp-server location Lab
snmp-server contact xxxxxxxxxxxxx
snmp-server community xxxxxxxxxxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-MD5
crypto map outside-map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside-map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup test address-pool xxxxxxxxxxx
vpngroup test dns-server xxxxxxxxxxxxxxxxx
vpngroup test wins-server xxxxxxxxxxxxxxxx
vpngroup test default-domain xxxxxxxxxxxxxxxxx
vpngroup test idle-time 1800
vpngroup test password xxxxxxxxxxxxxxx
telnet xxxxxxxxxx 255.255.255.0 inside
telnet timeout 5
management-access inside
console timeout 0
dhcpd address xxxxxxxxx inside
dhcpd dns xxxxxxxxxxxxxxxxxx
dhcpd wins xxxxxxxxxxxxxxx
dhcpd lease 36000
dhcpd ping_timeout 750
dhcpd domain xxxxxxxxxxxxxxxxxxxx
dhcpd enable inside
username xxxxxxxxxxxxpassword xxxxxxxxxxxxx encrypted privilege 15
terminal width 80
banner exec This is a monitored system, unauthorized access is prohibited.
banner exec Go away!
banner login This is a monitored system, unauthorized access is prohibited.
banner login Go away!
banner motd Welcome to xxxxxxxxxxxxxxxx
banner motd Unauthorized access is frowned upon and will be reported to your ISP
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
: end
[OK]
pix#"Only the dead fish follow the stream"
