PIX 515E and Microsoft VPN pinholes

khishlanth · ‎09-10-2003

Hello,

Let me preface this by saying that I don't have any Cisco configuration experience, I kind of got thrown into this because nobody else is available. Anyway, is there any FAQ or step-by-step guide on how to pinhole the firewall in a PIX 515E to allow TCP and UDP packets to come in on ports 1723 and 43? I have a Windows 2000 server behind a PIX and they want to use it for remote VPN access. Any help would be appreciated.

--Tommy Vielkanowitz

tvielkanowitz (at) shared-resources (dot) net

mostiguy · ‎09-10-2003

Why don't they use the pix for the vpn, as it offers nat traversal, and a bunch of other advantageous features? Do they have any access lists configured?

vitaliy.pindyura · ‎09-10-2003

All you need is to allow TCP 1723 and protocol 47 (gre) on the outside interface. Below is an example ACL that works:

access-list ACL_OUT permit tcp any gt 1023 host eq 1723

access-list ACL_OUT permit gre any host

access-group ACL_OUT in interface outside

Report Inappropriate Content · ‎09-11-2003

I'm trying to gain access to a remote site running Windows 2000 VPN. The server never responds and I get the following syslog msgs from my pix506. Will this same ACL example fix my problem?

________________

Sep 10 2003 13:49:18: %PIX-6-305001: Portmapped translation built for gaddr My_PIX/40939 laddr 192.168.1.16/4808

Sep 10 2003 13:49:18: %PIX-6-302001: Built outbound TCP connection 2391249 for faddr Remote_MS_VPN_IP/1723 gaddr

MY_PIX/40939 laddr 192.168.1.16/4808

****Sep 10 2003 13:49:19: %PIX-3-305006: regular translation creation failed for protocol 47 src inside:192.168.1.16 dst

outside:Remote_MS_VPN_IP

Sep 10 2003 13:49:57: %PIX-6-302002: Teardown TCP connection 2391249 faddr Remote_MS_VPN_IP/1723 gaddr MY_Pix/40939

laddr 192.168.1.16/4808 duration 0:00:38 bytes 732 (TCP FINs)

scoclayton · ‎09-11-2003

Hi,

It looks like you are trying to connect to a PPTP server from a PPTP client inside the PIX with the PIX doing PAT. My guess is that you probably do not have 6.3 code on this PIX. This is going to be required to get this to work as this was a new feature we recently added. Take a look at the following:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm#71286

No additional ACL should be required.

Scott

Report Inappropriate Content · ‎09-29-2003

We have made the code update to the pix and I am still getting the same error in the syslog that I was recieveing before. Any other ideas on this?

Thanks, Todd

Cisco PIX Firewall Version 6.3(1)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

vacuum-pix506e up 10 days 22 hours

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz

Flash E28F640J3 @ 0x300, 8MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000a.f492.a662, irq 10

1: ethernet1: address is 000a.f492.a663, irq 11

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Disabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Restricted (R) license.

Serial Number: 806382319 (0x30106aef)

Running Activation Key: xxx

Configuration last modified by enable_15 at 15:21:32.116 UTC Mon Sep 29 2003