01-02-2003 08:59 AM - edited 02-21-2020 12:15 PM
Does anyone know what I would need to do to allow a client on the inside of the PIX firewall to connect to another companies VPN server? When attempting to connect to a VPN server on the outside of the PIX it returns error 721, the computer failed to respond. The access list has the default explict lists, which should allow the connection to be established because it was initiated on the inside correct? Any help would be appreciated!.. Thanks
Glenn
01-02-2003 11:00 AM
Hi,
I guess you are trying to establish a PPTP Connection to the remote VPN Server. In order to PPTP through a PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723.
Configure a static public ip address for this client and then try connecting to the remote side. And also, if possible test the client with a Dial Up, just to make sure that the PPTP is configured properly on the VPN Server and the Client.
Regards,
Arul
01-02-2003 11:16 AM
Arul,
Yes it is a PPTP connection to a remote VPN server that I am trying to establish. I've used Dial Up and can establish a connection fine, and I've set a laptop up on the public network and can connect fine to the VPN, which made me realize it was a problem w/ the PIX setup.
So if I want to establish a VPN connection in the future I will need to establish a one-to-one mapping for the private adderss to a public address? Is it possible to configure the PIX so any of the clients on the inside could establish a connection? The way the PIX is setup right now is that it is using a pool of IP address on the outside network, and using NAT for the private addresses. I'm new to the PIX, I was just surprised that the pix didn't establish a connection automatically.
Thanks,
Glenn
01-03-2003 02:45 PM
We have the same problem (error 721). My question is what command is for establish one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723.
thanks
01-03-2003 05:54 PM
Hi,
You need a full routable ip address for the user behind the Pix and can do a static translation
static(inside,outside) a.b.c.d w.x.y.z
where,
a.b.c.d is the routable ip address
w.x.y.z is the internal ip address of the user that is trying to make the connection.
Regards,
Arul
01-03-2003 06:50 PM
So it is strictly a one to one, there isn't a way you could allow any client on the inside connect to a VPN server outside?
01-04-2003 07:15 AM
Arul,
Thank you. But, I already have the traslation:
static(inside,outside) public ip host_name netmask 255.255.255.255 0 0
any thing wrong?
bob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide