01-09-2008 10:08 AM - edited 03-11-2019 04:45 AM
I've followed all of the directions stated in the Cisco tutorial about this, however it does not work. Some commands reccomended return an error, such as :
fixup protocol pptp 1723, "bad protocol pptp" Maybe pptp is not supported. Here is a show config with addresses replaced as follows:
Pix outside interface = outside intf
static public address mapped to inside server= mapped
inside server actual address= server
internet address permitted access= internet. I realize there are probably some wrong statements in here, I have been trying different things. As of now, I get no response when trying to VPN the inside server. Also, was trying to RDP the server. I've verified web connectivity through the interfaces from inside to out. I was also able to VPN and RDP the server from within a lan to verify that was working correctly.
Result of PIX command: "show config"
: Saved
: Written by at 10:30:46.894 UTC Wed Jan 9 2008
PIX Version 6.2(1)
nameif ethernet0 t1 security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password encrypted
passwd
hostname
domain-name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list t1_access_in permit tcp host "mapped" host "mapped"
access-list t1_access_in permit tcp host "mapped" eq 1723 host "mapped" eq 1723
access-list t1_access_in permit gre "wan base network address" 255.255.255.2xx host "mapped"
access-list t1_access_in permit tcp host "mapped" eq 3389 host"mapped" eq 3389
access-list t1 permit tcp host "internet" host "mapped" eq 3389
access-list t1 permit tcp host "internet" eq 1723 host "mapped"eq 1723
access-list t1 permit gre host "internet" host "mapped"
pager lines 24
logging trap informational
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
icmp permit any echo-reply t1
icmp permit any echo t1
icmp permit any echo-reply inside
icmp permit any echo inside
mtu t1 1500
mtu inside 1500
mtu intf2 1500
ip address t1 "outside intf" 255.255.255.x
ip address inside x.x.x.x 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.x inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location "outside intf" 255.255.255.255 t1
pdm location "wan gateway" 255.255.255.255 t1
pdm location"server" 255.255.255.255 inside
pdm location "mapped" 255.255.255.255 t1
pdm history enable
arp timeout 14400
global (t1) 1 interface
global (t1) 2 "this is a wan usable ip but I think its wrong"
nat (inside) 1 x.x.x.0 255.255.255.0 0 0
static (inside,t1) "mapped" "server" netmask 255.255.255.255 0 0
access-group t1_access_in in interface t1
route t1 0.0.0.0 0.0.0.0 "wan gateway" 1
route t1 "outside intf" 255.255.255.255 "wan gateway" 1
route inside x.x.x.254 255.255.255.255 "outside intf" 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http "inside base network address" 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
telnet "base network address" 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 pptp echo 60
vpdn enable inside
username
terminal width 80
Cryptochecksum
Solved! Go to Solution.
01-09-2008 10:29 AM
fixup protocol pptp feature was introduced in in version 6.3, go over this link which explains it for pixes running 6.2 and earlier codes.. perhaps time to upgrade your code..
Try this , if problems post results to help out.
Rgds
Jorge
01-09-2008 10:29 AM
fixup protocol pptp feature was introduced in in version 6.3, go over this link which explains it for pixes running 6.2 and earlier codes.. perhaps time to upgrade your code..
Try this , if problems post results to help out.
Rgds
Jorge
01-09-2008 11:16 AM
I see. Thank you very much, I will try that and repost.
01-09-2008 11:28 AM
Yeah, I've looked at that page. As far as I know, I've entered those commands except for "access-group t1 in interface t1 " It still doesn't work. Maybe the syntax or usage is wrong. I'm thinking this applies the rule to the outside interface (t1). I know since my version is too old I must enable both pptp and gre, which I think I have, you can see it in the show config above.
01-09-2008 11:44 AM
Okay apparently the RDP I was trying to do from outside in is working now!! :)Wonder what's stopping the vpn?
01-09-2008 11:59 AM
Im just concerned because I had to permit RDP from a specific address only, it wouldn't let me permit it using "any" in the access list. Says "invalid ip address any"
01-10-2008 01:21 PM
I figured it out. It was an access list and access group setting
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide