Re: Remote access VPN using PPTP

prashanth15 · ‎06-19-2006

Hi,

I have a PIX 515e version 6.3 (5).The PIX is front end firewall

with the ISA2004 connected to the inside interface of the PIX. However,

I want to use the ISA as VPN server. Thus, I need the PIX to allow the

VPN traffic through to the ISA Server so that it can authenticate and

created the tunnel.

Refer attached pix config and setup diagram.Here is my config Internet - PIX - ISA Server -

LAN (DHCP,AD,Exchange 2003) PIX external: x.x.x.166 PIX Internal

172.17.0.2 ISA external: 172.17.0.1 ISA Internal 172.16.0.253

Pls provide steps to allow the PIX to pass the vpn traffic to ISA.

The DHCP in inside network of ISA will allocate IP for Remote VPN clients

PPTP is enabled on ISA 2004 and MSCHAP-2 as authentication

Without PIX firewall, remote access VPN using pptp worked fine.

Regards,

Prashanth

gfullage · ‎06-19-2006

If the PIX is simply passing the PPTP packets through to an inside PPTP server, then you don't really need to do much on the PIX at all. It is just the same as allowing HTTP traffic through to an inside web server. So first of all get rid of all the "vpdn" type config on the PIX, that is only used if the PIX is terminating the PPTP VPN, which it is not.

Now, standard PIX connectivity says to allow packets from outside to inside you need a static and an access-list, of which you have neither. You will need to use another global IP address and map that through to the inside PPTP server, as such:

static (inside,outside) 202.93.208.46 172.17.0.1 netmask 255.255.255.255

Then allow PPTP traffic through to that address with:

access-list inbound permit tcp any host 202.93.208.46 eq 1723

access-list inbound permit gre any host 202.93.208.46

Then have your outside users connect to 202.93.208.46 and all should work fine.

prashanth15 · ‎06-19-2006

Hi,

But there is only one public IP and curently using PAT

can i have the configuartion like this:

static (inside,outside) outside interface 172.17.0.1 netmask 255.255.255.255

access-list inbound permit tcp any host outside interface eq 1723

access-list inbound permit gre any host outside interface

gfullage · ‎06-19-2006

No, because that then overlaps with your PAT config. You can't set up a static PAT translation either because the GRE packets are not TCP/UDP based. To do this I'm afraid you need a second public IP address, or you can forget about your users connecting to the inside server and have them connect directly to the PIX as the PPTP server. This will then provide them with internal access also. To set that up it will be the "vpdn" config you had previously.

prashanth15 · ‎06-19-2006

Hi,

What about using L2TP-IPSEC?

what access rule to be created in PIX?

jmia · ‎06-20-2006

Have a look at the following document:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800942ad.shtml

The above uses RADIUS for authentication.

And also the following document from Zander Networks:

http://www.zandernetworks.co.uk/technotes/Tech%20Note%2004.pdf

Hope this helps

Jay

prashanth15 · ‎06-29-2006

Hi,

The PIX is simply passing the PPTP packets through to an inside PPTP server (ISA server).

Followed your instruction but didnt work.

have posted the configuration.

pls check and let me know

ertrqueen · ‎08-16-2006

You can do this with a single IP doing PAT. First you create your static:

static (inside,outside) tcp PUBLICIP pptp PRIVATEIP pptp

where the privateIP is the address of the ISA server. If you're using the outside interface of the PIX as the PUBLICIP, replace PUBLICIP with the keywork 'interface'.

Make sure you have the 'fixup protocol pptp 1723' in your config - this removes the need to create a GRE static mapping, as it will open the GRE ports dynamically as needed.

Then just make sure you have an ACL entry on the outside interface that allows PPTP to the public IP address.