Solved: W2000 PPTP inside PIX path through the PIX

bothunborg · ‎10-30-2002

Inside a simple configured PIX I have a w2000 VPN-client with PPTP. The client can't talk with an other PIX otside configured with VPDN.

Every thing works as expected if I put in a siple nat-firewal NETGEAR801 insted of PIX.

See PIX config and syslog. Waths wrong??

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 2KFQnbNIdI.2KYOU encrypted

passwd FAXRuw8pF2Tl7oBe encrypted

hostname nsm

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_outside permit icmp any any

access-list acl_outside permit gre any any

access-list acl_outside permit esp any any

pager lines 24

logging on

logging console debugging

logging trap debugging

logging host inside 194.132.183.10

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 217.215.220.221 255.255.255.0

ip address inside 194.132.183.2 255.255.255.192

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_outside in interface outside

route outside 0.0.0.0 0.0.0.0 217.215.220.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

nsm#

Syslog sed:

%PIX-6-305011: Built dynamic TCP translation from ide:194.132.183.10/1366 to outside:217.215.220.221/1124

%PIX-6-302013: Built outbound TCP connection 212 for :194.71.189.109/1723 (194.71.189.109/1723) to inside:194.132.183.10/1366 217.215.220.221/1124)

%PIX-3-305006: regular translation creation failed for protocol 47 src inside:194.132.183.10 dst outside:194.71.189.109

%PIX-6-302014: Teardown TCP connection 212 for side:194.71.189.109/1723 to inside:194.132.183.10/1366 duration 0:00:10 bytes 788 TCP FINs

gfullage · ‎10-30-2002

First off I'd suggest not cutting/pasting your entire PIX config in here, or at the very least x.x.x.x out your outside IP address.

The PIX does not currently support PPTP thru PAT (nat/global). PPTP uses IP protocol 47 (GRE), and the PIX can't PAT these cause there's no TCP/UDP port number to use.

PIX 6.3 code will support it though, but it won't be available till the start of next year. At the moment the only way around your predicament is to define a one-to-one NAT translation for this internal host. Something like:

> static (inside,outside) 217.215.220.222 194.132.183.10 netmask 255.255.255.255 0 0

will do the trick for you, provided 217.215.220.222 routed and available to you. I'd also suggest changing

> access-list acl_outside permit gre any any

to

> access-list acl_outside permit gre host 194.71.189.109 host 217.215.220.222

it's a bit more secure.

View solution in original post

gfullage · ‎10-30-2002