Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trying to configure PPTP thru PIX (6.3) running PAT

I have configured my PIX (6.3) running PAT to allow a PPTP session from remote Win2K client. The client is authenticated by the PIX, receives it's IP addresss from the pptp-pool and can even ping the internal Win XP Pro machine. So far, so good.

The problem starts when I try to browse to my XP machine or search for it by IP address. When I try, I get the following error from my PIX:

%PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.1.100/2423 dst outside:209.244.0.4/53

%PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.1.100/2423 dst outside:209.244.0.4/53

%PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.1.100/2423 dst outside:209.244.0.4/53

Obviously there is no static mapping because I am using PAT, but doesn't 6.3 code support PPTP w/ PAT?

Here's my PIX config:

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd

hostname Lab-PIX

domain-name test.com

fixup protocol esp-ike

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit ip 192.168.100.0 255.255.255.0 10.20.30.0 255.255.255.0

access-list 100 permit ip 10.20.30.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 100 deny ip any any

pager lines 24

logging on

logging buffered debugging

logging trap warnings

logging host inside 10.20.30.3

icmp deny any echo-reply outside

icmp permit any unreachable outside

icmp permit any time-exceeded outside

icmp permit any echo-reply outside

mtu outside 1500

mtu inside 1500

ip address outside X.X.X.X 255.255.255.0

ip address inside 10.20.30.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-pool 192.168.100.1-192.168.100.50

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username XXXXXX password *********

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Thanks for any help on this!

  • Other Security Subjects
1 REPLY
Bronze

Re: Trying to configure PPTP thru PIX (6.3) running PAT

Hi,

PIX OS V6.3 supports PPTP pass-thru, ie when PPTP client machine sitting behind the PIX FW, and PIX is configured to do PAT, in that case PPTP fixup works to a MS VPN Server.

In your case you are connecting to a PIX(/w 6.3), and it seems like some MS networking issue, try configuring a WINS/DNS IP address assignment using:

vpdn group group_name client configuration dns dns_server_ip1 [dns_server_ip2]

see if that helps.

Thx

Afaq

102
Views
0
Helpful
1
Replies
This widget could not be displayed.