passing W2K PPTP through PIX 6.0 to external address

rtober · ‎10-04-2001

I'm trying to establish a W2K pro PPTP tunnel through a PIX out to an external Multi-homed W2K server (across public internet). When I initiate the client (secure side of PIX) it contacts the external server and begins to authenticate but eventually times out. I've verified the client PPTP setup using an external dial-out account (bypassing my entire network) and it connects just fine.

My first guess is the PAT on the firewall is interfering with the W2K PPTP handshake - I know the Cisco Client allows for IPsec though NAT but I couldn't find anything like that in the W2K setup ...

Thanks,

Ryan

rtober · ‎10-04-2001

doh! I should have kept looking. A previous post ansered this question for me I think. PAT is the issue.

Let me know if you have any ideas on a work around ...

Thanks,

Ryan

pag · ‎10-08-2001

What was the solution for your problem. I'm having the same issue

rtober · ‎10-18-2001

Well right now I'm going to forget the internal client configuration because I don't want to short-circuit our DMZ and bring a direct connection straight through. I'm going to try a Lan-to-lan connection using our 3030. I've initiated lan-to-lan with 2 PIXs using IPsec but never with PPTP to a W2K server. Should be tons-O-fun.

jpoulos · ‎10-08-2001

You need to set up a conduit or access list through the firewall with a static ip address to the internal computer. The internal computer can send packets out, but the packets are blocked at the firewall from getting back in. I was told to open up ports for PPTP,(I can't remember what they were) but that didn't work. I ended up allowing TCP from host to host(from the IP address of the PC outside your network to the external(public) ip of the computer inside your network. I hope this helps, if you need more help I can post some configs.

jp

mconroy · ‎10-09-2001

I have tried allowing pptp access, with no luck, and would realy like to see your configs. What i have done: Created static 1-to-1 Nat translation, opened tcp eq 1723 & protocol 47 (gre) outbound and inbound.

static (inside,outside) 12.x.x.x 10.x.x.x netmask 255.255.255.255

access-list allow_outbound permit gre 10.0.0.0 255.0.0.0 any

access-list allow_outbound permit tcp 10.0.0.0 255.255.0.0 any eq 1723

access-list allow_inbound permit ip any host 12.x.x.x

access-list allow_inbound permit gre any host 12.x.x.x

access-list allow_inbound permit tcp any host 12.x.x.x eq 1723

In addition, i allowed ALL outbound & ALL inbound to and from any with NO luck (just for testing).

Thanks,

Mike

jpoulos · ‎10-18-2001

There are two ways you can do it:

The first way allows for a point to point access from a specific host to a specific host. The second way allows for VPN PPTP connections to anywhere and back, but it is a little less secure. It looks like the only difference between our configs is you don't have the permit UDP statement. Let me know if you have any questions.( the 216 in my config is the external host that we are connecting to)

JP

static (inside,outside) 237.xx.xx.1 10.xx.xx.1 netmask 255.255.255.255 0 0

access-list REMOTE permit ip host 216.xx.xx.xx host 237.xx.xx.1

static (inside,outside) 237.xx.xx.2 10.xx.xx.2 netmask 255.255.255.255 0 0

access-list REMOTE permit ip any host 237.xx.xx.2

access-list REMOTE permit udp any host 237.xx.xx.2

rtober · ‎10-18-2001

jp,

I thought the PIX had implicit permit all for outbound connections initiated from the inside (secure leg) and automatically allowed the reply to pass back through as long as the reply packet was good. Implicit deny all is only applied to connections initiated from the outside in right?

I don't have to open up return ports for outbound http traffic, etc ...

Just wondering ...

Thanks,

Ryan

murriware · ‎10-19-2001

Try a debug packet on outside (specify W2K server as source in order to filter the traffic) in order to see what arrives on PIX port and why it's discarded.

Maurizio