vpn issues with windows based vpn

Unanswered Question
Nov 29th, 2007

Hi

I am trying to connect to my office from home through a windows based VPN (win 2003 and win XP) and have issues with it. I have a PIX 506E firewall in the office and there is no firewall at home.

Can someone advise what other configuration is needed on the pix firewall to achieve this. I have opened ports 1723, 500 on pix firewall for external access and configured office pix as below

access-list 102 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

ip local pool vpn-clients 192.168.1.1-192.168.1.50

nat (inside) 0 access-list 102

sysopt connection permit-pptp

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 client configuration address local vpn-clients

vpdn group 1 client authentication local

vpdn enable outside

I will be authenticating with my domain username and password.

my network - 172.16.x.x

office network - 10.10.10.x

vpn client network assigned on pix - 192.168.1.x

Your early response is appreciated.

Thanks you

venkat

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
kagodfrey Fri, 11/30/2007 - 01:16

Hi Venkat

You state you wish to use some sort of AAA authentication in order to authenticate against your domain credentials, but you have configured the VPN to use local client authentication without supplying it with a username and password, such as:

vpdn username cisco password cisco

The following link should get you started with enabling AAA for PPTP VPN:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

HTH

Kev

sarat1317 Fri, 11/30/2007 - 07:03

Hi Kev

Thanks for your response. I guess I am making a mistake here. Actually I am just using my domain name and password to get authenticated which is through the Win 2003 SBS server. So I dont think I need

vpdn group 1 client authentication local

vpdn username cisco password cisco

(But again I tried this as well and didnt work)

But do I have to use any command for windows based authentication?

I have created a VPN connection and on properties, I have tabs as below

General - public IP of office Internet

Options - all are checked on dialing options

(display progress, prompt for name & pwd, include windows logon domain)

Security - typical

required secured password under validate my identity

automatically use my windows logon name, pwd - unchecked

require data encryption - unchecked

networking - PPTP VPN (type of VPN)

Advanced - win firewall is off

internet connection sharing - unchecked

Please advise

kagodfrey Fri, 11/30/2007 - 09:12

Hi

Having re-read your original post, I have a few further thoughts as to why it will not work. You do not need to open 1723 and 500 on the pix, your vpdn configuration allows pptp to bypass conduit/acl checks when it is enabled (the sysopt connection permit-pptp command). However, I think you do need to ensure you have permitted 1723 outbound (likely) and GRE (protocol 47) inbound (unlikely), and that you are using a 1-to-1 static NAT translation between your inside private address on your 172.16.0.0 network and (one of) your public address on your outside block.

If you only have PAT and are not able to configure a static NAT entry then I don't think it will work. The alternative would be to configure an NAT-T aware IPSEC VPN tunnel to the Pix using the Cisco VPN Client, which will happily work with PAT - details of how to configure this can be found here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

and nat-t here:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html#wp1057446

Regards

Kev

sarat1317 Fri, 11/30/2007 - 09:49

Hi Kev

I did not expect that this is so critical or may be just critical for me. I have attached the config here. It worked pretty well when Linksys router was in place and just these issues after replacing with PIX. Unfortunately I dont have much time and I may have to revert back if this doesnt work in next few hours.

I am not sure if I am doing some basic mistakes here about the user authentication etc. When I enable logging, I am getting this message. PPTP: Call id 32975, no session

Can you please check the config and advise. I am looking at other solutions now. Right now I am not using any Cisco VPN client. I guess these are not free right?

Thanks for all your time

Attachment: 
sarat1317 Fri, 11/30/2007 - 11:47

Hi Kev

I have removed the static translations for PPTP and authentication is done locally by PIX and that worked.

Thanks for your time and help

Actions

This Discussion