11-29-2007 04:17 PM - edited 03-11-2019 04:37 AM
Hi
I am trying to connect to my office from home through a windows based VPN (win 2003 and win XP) and have issues with it. I have a PIX 506E firewall in the office and there is no firewall at home.
Can someone advise what other configuration is needed on the pix firewall to achieve this. I have opened ports 1723, 500 on pix firewall for external access and configured office pix as below
access-list 102 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool vpn-clients 192.168.1.1-192.168.1.50
nat (inside) 0 access-list 102
sysopt connection permit-pptp
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local vpn-clients
vpdn group 1 client authentication local
vpdn enable outside
I will be authenticating with my domain username and password.
my network - 172.16.x.x
office network - 10.10.10.x
vpn client network assigned on pix - 192.168.1.x
Your early response is appreciated.
Thanks you
venkat
11-30-2007 01:16 AM
Hi Venkat
You state you wish to use some sort of AAA authentication in order to authenticate against your domain credentials, but you have configured the VPN to use local client authentication without supplying it with a username and password, such as:
vpdn username cisco password cisco
The following link should get you started with enabling AAA for PPTP VPN:
HTH
Kev
11-30-2007 07:03 AM
Hi Kev
Thanks for your response. I guess I am making a mistake here. Actually I am just using my domain name and password to get authenticated which is through the Win 2003 SBS server. So I dont think I need
vpdn group 1 client authentication local
vpdn username cisco password cisco
(But again I tried this as well and didnt work)
But do I have to use any command for windows based authentication?
I have created a VPN connection and on properties, I have tabs as below
General - public IP of office Internet
Options - all are checked on dialing options
(display progress, prompt for name & pwd, include windows logon domain)
Security - typical
required secured password under validate my identity
automatically use my windows logon name, pwd - unchecked
require data encryption - unchecked
networking - PPTP VPN (type of VPN)
Advanced - win firewall is off
internet connection sharing - unchecked
Please advise
11-30-2007 09:12 AM
Hi
Having re-read your original post, I have a few further thoughts as to why it will not work. You do not need to open 1723 and 500 on the pix, your vpdn configuration allows pptp to bypass conduit/acl checks when it is enabled (the sysopt connection permit-pptp command). However, I think you do need to ensure you have permitted 1723 outbound (likely) and GRE (protocol 47) inbound (unlikely), and that you are using a 1-to-1 static NAT translation between your inside private address on your 172.16.0.0 network and (one of) your public address on your outside block.
If you only have PAT and are not able to configure a static NAT entry then I don't think it will work. The alternative would be to configure an NAT-T aware IPSEC VPN tunnel to the Pix using the Cisco VPN Client, which will happily work with PAT - details of how to configure this can be found here:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
and nat-t here:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html#wp1057446
Regards
Kev
11-30-2007 09:49 AM
Hi Kev
I did not expect that this is so critical or may be just critical for me. I have attached the config here. It worked pretty well when Linksys router was in place and just these issues after replacing with PIX. Unfortunately I dont have much time and I may have to revert back if this doesnt work in next few hours.
I am not sure if I am doing some basic mistakes here about the user authentication etc. When I enable logging, I am getting this message. PPTP: Call id 32975, no session
Can you please check the config and advise. I am looking at other solutions now. Right now I am not using any Cisco VPN client. I guess these are not free right?
Thanks for all your time
11-30-2007 11:47 AM
Hi Kev
I have removed the static translations for PPTP and authentication is done locally by PIX and that worked.
Thanks for your time and help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: