09-10-2003 06:08 AM - edited 02-21-2020 12:45 PM
Hello,
Let me preface this by saying that I don't have any Cisco configuration experience, I kind of got thrown into this because nobody else is available. Anyway, is there any FAQ or step-by-step guide on how to pinhole the firewall in a PIX 515E to allow TCP and UDP packets to come in on ports 1723 and 43? I have a Windows 2000 server behind a PIX and they want to use it for remote VPN access. Any help would be appreciated.
--Tommy Vielkanowitz
tvielkanowitz (at) shared-resources (dot) net
09-10-2003 07:19 AM
Why don't they use the pix for the vpn, as it offers nat traversal, and a bunch of other advantageous features? Do they have any access lists configured?
09-10-2003 10:57 AM
All you need is to allow TCP 1723 and protocol 47 (gre) on the outside interface. Below is an example ACL that works:
access-list ACL_OUT permit tcp any gt 1023 host
access-list ACL_OUT permit gre any host
access-group ACL_OUT in interface outside
09-11-2003 07:36 AM
I'm trying to gain access to a remote site running Windows 2000 VPN. The server never responds and I get the following syslog msgs from my pix506. Will this same ACL example fix my problem?
________________
Sep 10 2003 13:49:18: %PIX-6-305001: Portmapped translation built for gaddr My_PIX/40939 laddr 192.168.1.16/4808
Sep 10 2003 13:49:18: %PIX-6-302001: Built outbound TCP connection 2391249 for faddr Remote_MS_VPN_IP/1723 gaddr
MY_PIX/40939 laddr 192.168.1.16/4808
****Sep 10 2003 13:49:19: %PIX-3-305006: regular translation creation failed for protocol 47 src inside:192.168.1.16 dst
outside:Remote_MS_VPN_IP
Sep 10 2003 13:49:57: %PIX-6-302002: Teardown TCP connection 2391249 faddr Remote_MS_VPN_IP/1723 gaddr MY_Pix/40939
laddr 192.168.1.16/4808 duration 0:00:38 bytes 732 (TCP FINs)
09-11-2003 08:20 AM
Hi,
It looks like you are trying to connect to a PPTP server from a PPTP client inside the PIX with the PIX doing PAT. My guess is that you probably do not have 6.3 code on this PIX. This is going to be required to get this to work as this was a new feature we recently added. Take a look at the following:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm#71286
No additional ACL should be required.
Scott
09-29-2003 12:37 PM
We have made the code update to the pix and I am still getting the same error in the syslog that I was recieveing before. Any other ideas on this?
Thanks, Todd
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 19-Mar-03 11:49 by morlee
vacuum-pix506e up 10 days 22 hours
Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 000a.f492.a662, irq 10
1: ethernet1: address is 000a.f492.a663, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 806382319 (0x30106aef)
Running Activation Key: xxx
Configuration last modified by enable_15 at 15:21:32.116 UTC Mon Sep 29 2003
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: