Permitting PPTP through PIX 515

Answered Question
Jan 9th, 2008

I've followed all of the directions stated in the Cisco tutorial about this, however it does not work. Some commands reccomended return an error, such as :

fixup protocol pptp 1723, "bad protocol pptp" Maybe pptp is not supported. Here is a show config with addresses replaced as follows:

Pix outside interface = outside intf

static public address mapped to inside server= mapped

inside server actual address= server

internet address permitted access= internet. I realize there are probably some wrong statements in here, I have been trying different things. As of now, I get no response when trying to VPN the inside server. Also, was trying to RDP the server. I've verified web connectivity through the interfaces from inside to out. I was also able to VPN and RDP the server from within a lan to verify that was working correctly.

Result of PIX command: "show config"

: Saved

: Written by at 10:30:46.894 UTC Wed Jan 9 2008

PIX Version 6.2(1)

nameif ethernet0 t1 security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password encrypted

passwd

hostname

domain-name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list t1_access_in permit tcp host "mapped" host "mapped"

access-list t1_access_in permit tcp host "mapped" eq 1723 host "mapped" eq 1723

access-list t1_access_in permit gre "wan base network address" 255.255.255.2xx host "mapped"

access-list t1_access_in permit tcp host "mapped" eq 3389 host"mapped" eq 3389

access-list t1 permit tcp host "internet" host "mapped" eq 3389

access-list t1 permit tcp host "internet" eq 1723 host "mapped"eq 1723

access-list t1 permit gre host "internet" host "mapped"

pager lines 24

logging trap informational

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

icmp permit any echo-reply t1

icmp permit any echo t1

icmp permit any echo-reply inside

icmp permit any echo inside

mtu t1 1500

mtu inside 1500

mtu intf2 1500

ip address t1 "outside intf" 255.255.255.x

ip address inside x.x.x.x 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 0.0.0.0 255.255.255.x inside

pdm location x.x.x.x 255.255.255.255 inside

pdm location "outside intf" 255.255.255.255 t1

pdm location "wan gateway" 255.255.255.255 t1

pdm location"server" 255.255.255.255 inside

pdm location "mapped" 255.255.255.255 t1

pdm history enable

arp timeout 14400

global (t1) 1 interface

global (t1) 2 "this is a wan usable ip but I think its wrong"

nat (inside) 1 x.x.x.0 255.255.255.0 0 0

static (inside,t1) "mapped" "server" netmask 255.255.255.255 0 0

access-group t1_access_in in interface t1

route t1 0.0.0.0 0.0.0.0 "wan gateway" 1

route t1 "outside intf" 255.255.255.255 "wan gateway" 1

route inside x.x.x.254 255.255.255.255 "outside intf" 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http "inside base network address" 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

telnet "base network address" 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 pptp echo 60

vpdn enable inside

username

terminal width 80

Cryptochecksum

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 8 years 11 months ago

fixup protocol pptp feature was introduced in in version 6.3, go over this link which explains it for pixes running 6.2 and earlier codes.. perhaps time to upgrade your code..

Try this , if problems post results to help out.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#intro

Rgds

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
attrib7575 Wed, 01/09/2008 - 11:28

Yeah, I've looked at that page. As far as I know, I've entered those commands except for "access-group t1 in interface t1 " It still doesn't work. Maybe the syntax or usage is wrong. I'm thinking this applies the rule to the outside interface (t1). I know since my version is too old I must enable both pptp and gre, which I think I have, you can see it in the show config above.

attrib7575 Wed, 01/09/2008 - 11:44

Okay apparently the RDP I was trying to do from outside in is working now!! :)Wonder what's stopping the vpn?

attrib7575 Wed, 01/09/2008 - 11:59

Im just concerned because I had to permit RDP from a specific address only, it wouldn't let me permit it using "any" in the access list. Says "invalid ip address any"

attrib7575 Thu, 01/10/2008 - 13:21

I figured it out. It was an access list and access group setting

Actions

This Discussion