Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
5
Helpful
4
Replies

Trying to connect to a remote VPN server

Go to solution
tsmurray
Level 1
Level 1

‎07-14-2003 12:41 PM - edited ‎02-21-2020 12:39 PM

This task has me bleeding out my eyes. I can't seem to get it to work. I understand the principle of TCP-OUT GRE-IN but can't seem to reconsile it so the firewall understands.

Long and short of the situation:

Company has static IP assigned by local DSL company

All computers on the inside network enjoy interconnectivity and outside internet access

Remote VPN host has static IP

VPN DUN configuration established correctly and accounts on remote are active.

Does not connect when proper ID and PASSWORD are entered.

Has anybody tried this before. Please assume that I have the skill level of a 5 year old and the patience of the same.

Thank you for your help.

Timothy S. Murray

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎07-14-2003 11:31 PM

A 5 year old huh? sounds like a lot of people I deal with. Just kidding everyone, don't flame me.

Anyway, we need a bit more information here to go on, is this a PPTP connection to a PIX you're talking about, or to a router? Or is it IPSec (you mentioned GRE which is why I think you're talking about GRE). Is the user authentication being done locally on the VPN termination device, or is there a Radius/TACACS server involved?

Can you send in the config of the terminating device, making sure to xxxxx out any valid IP addresses and passwords?

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎07-14-2003 11:31 PM

A 5 year old huh? sounds like a lot of people I deal with. Just kidding everyone, don't flame me.

Anyway, we need a bit more information here to go on, is this a PPTP connection to a PIX you're talking about, or to a router? Or is it IPSec (you mentioned GRE which is why I think you're talking about GRE). Is the user authentication being done locally on the VPN termination device, or is there a Radius/TACACS server involved?

Can you send in the config of the terminating device, making sure to xxxxx out any valid IP addresses and passwords?

0 Helpful

Go to solution
tsmurray
Level 1
Level 1
In response to gfullage

‎07-15-2003 05:51 AM

It is a PPTP connection. When our laptop clients leave the firewall, they're able to connect. I must admit that I'm am fairly new to the CISCO family so some of my answers are based on my best assumption of the situation.

Current config of the PIX is as follows:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxx encrypted

hostname pix

domain-name umd.edu

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside xxx.xx.xxx.xx 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.20 255.255.255.255 inside

pdm location 192.168.1.24 255.255.255.248 outside

pdm location 192.168.1.0 255.255.255.240 outside

pdm location 192.168.1.0 255.255.255.240 inside

pdm location 10.10.10.0 255.255.255.0 outside

pdm location 10.10.10.0 255.255.255.255 inside

pdm location 207.44.140.112 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.1.20 www netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 xxx.xx.xxx.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

sysopt connection permit-l2tp

no sysopt route dnat

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption des

isakmp policy 40 hash md5

isakmp policy 40 group 1

isakmp policy 40 lifetime 86400

telnet timeout 5

ssh timeout 5

vpdn enable inside

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:40f543ea19bf3cd418a27ccad8076f29

: end

[OK]

There may be some detritus floating around in there as I have desperately tried to solve my situation and may not cleared some previous entries.

Your assistance is most appreciated.

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to tsmurray

‎07-15-2003 02:00 PM

OK, so the PPTP clients are inside the PIX, connecting to a PPTP server outside, is that correct? Please assume when you post stuff here that we have no idea what your situation is, so try and provide as much information as possible.

If I'm correct, then the issue is that you're doing PAT on this PIX which generally doesn't work well with PPTP sessions. The issue being is that part of the session is GRe packets, which doesn't hve a UDP/TCP port number that the PIX can use to PAT with.

Having said tha, in v6.3 code the PIX now supports PPTP through PAT, so your best bet is to upgrade and add the command:

> fixup protocol pptp 1723

and you should be good to go. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#1067379 for details.

Go to solution
tsmurray
Level 1
Level 1
In response to gfullage

‎07-21-2003 10:49 AM

Sorry it took me so long to get back to you. I had a problem flashing the firmware. (Damn TFTP).

Upgrade and fixup worked.

Thanks again.

Timothy Murray

(Although now I need to upgrade the PDM version, which has a timeout problem. But that's an issue for another day.)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents