×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX PPTP Server: Clients fails to login on windows domain

Unanswered Question
Jun 2nd, 2003
User Badges:

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --


Hi,

I've followed all steps described in the document "How to Configure the Cisco Secure PIX Firewall to Use PPTP" and I've the pix accepting pptp connections and doing authentication via radius. The problem is that client PCs can't log into the windows NT domain. My local test network is 192.168.30.0/24 and the PIX enters pptp users to network 172.16.30.0/16. I get the following debug when the client tries to log in the windows domain:


Jun 02 2003 16:08:35: %PIX-6-603102: PPP virtual interface 1 - user: ING\test aaa authentication started

Jun 02 2003 16:08:41: %PIX-6-603103: PPP virtual interface 1 - user: ING\test aaa authentication succeed

Jun 02 2003 16:08:45: %PIX-6-603104: PPTP Tunnel created, tunnel_id is 2, remote_peer_ip is 200.43.250.112, ppp_virtual_interface_id is 1, client_dynamic_ip is 172.16.30.10, username is ING\test, MPPE_key_strength is 40 bits

Jun 02 2003 16:08:45: %PIX-2-109011: Authen Session Start: user 'ING\test', sid 1

Jun 02 2003 16:08:49: %PIX-6-302015: Built inbound UDP connection 1 for outside:172.16.30.10/137 (172.16.30.10/137) to inside:192.168.30.1/137 (192.168.30.1/137) (ING\test)

Jun 02 2003 16:08:49: %PIX-6-609001: Built local-host inside:192.168.30.1

Jun 02 2003 16:08:53: %PIX-3-106011: Deny inbound (No xlate) udp src outside:172.16.30.10/138 dst outside:172.16.255.255/138


Following is the PIX configuration for reference:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password -- moderator edit-- encrypted

passwd -- moderator edit-- encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit ip 192.168.30.0 255.255.255.0 172.16.30.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging trap informational

logging facility 22

logging host inside 192.168.30.5

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside -- moderator edit-- nnn.nn.nnn.225 255.255.255.192

ip address inside 192.168.30.7 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-users 172.16.30.10-172.16.30.20

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 192.168.30.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 -- moderator edit-- nnn.nn.nnn.225 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server AuthInbound protocol radius

aaa-server AuthInbound (inside) host 192.168.30.3 cisco timeout 10

http server enable

http 192.168.30.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

no sysopt route dnat

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local pptp-users

vpdn group 1 client configuration wins 192.168.30.1

vpdn group 1 client authentication aaa AuthInbound

vpdn group 1 pptp echo 60

vpdn enable outside

dhcpd auto_config outside

terminal width 80


I'll appreciate your help. Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Tue, 06/10/2003 - 06:55
User Badges:
  • Bronze, 100 points or more

This is a connection-related message. This message occurs when a packet is sent to the

same interface that it arrived on. This usually indicates that a security breach is occurring. When

the PIX Firewall receives a packet, it tries to establish a translation slot based on the security

policy you set with the global and ACL commands, and your routing policy set with the route

command.


Failing both policies, PIX Firewall allows the packet to flow from the higher priority network to a

lower priority network, if it is consistent with the security policy. If a packet comes from a lower

priority network and the security policy does not allow it, PIX Firewall routes the packet back to

the same interface.


To provide access from an interface with a higher security to a lower security, use the nat and

global commands. For example, use the nat command to let inside users access outside servers, to let

inside users access perimeter servers, and to let perimeter users access outside servers.


To provide access from an interface with a lower security to higher security, use the static and

ACL commands. For example, use the static and commands to let outside users access

inside servers, outside users access perimeter servers, or perimeter servers access inside servers.

Action Fix your configuration to reflect your security policy for handling these attack events.


Actions

This Discussion