10-30-2002 04:49 AM - edited 02-20-2020 10:20 PM
Inside a simple configured PIX I have a w2000 VPN-client with PPTP. The client can't talk with an other PIX otside configured with VPDN.
Every thing works as expected if I put in a siple nat-firewal NETGEAR801 insted of PIX.
See PIX config and syslog. Waths wrong??
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd FAXRuw8pF2Tl7oBe encrypted
hostname nsm
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_outside permit icmp any any
access-list acl_outside permit gre any any
access-list acl_outside permit esp any any
pager lines 24
logging on
logging console debugging
logging trap debugging
logging host inside 194.132.183.10
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 217.215.220.221 255.255.255.0
ip address inside 194.132.183.2 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 217.215.220.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
nsm#
Syslog sed:
%PIX-6-305011: Built dynamic TCP translation from ide:194.132.183.10/1366 to outside:217.215.220.221/1124
%PIX-6-302013: Built outbound TCP connection 212 for :194.71.189.109/1723 (194.71.189.109/1723) to inside:194.132.183.10/1366 217.215.220.221/1124)
%PIX-3-305006: regular translation creation failed for protocol 47 src inside:194.132.183.10 dst outside:194.71.189.109
%PIX-3-305006: regular translation creation failed for protocol 47 src inside:194.132.183.10 dst outside:194.71.189.109
%PIX-3-305006: regular translation creation failed for protocol 47 src inside:194.132.183.10 dst outside:194.71.189.109
%PIX-3-305006: regular translation creation failed for protocol 47 src inside:194.132.183.10 dst outside:194.71.189.109
%PIX-6-302014: Teardown TCP connection 212 for side:194.71.189.109/1723 to inside:194.132.183.10/1366 duration 0:00:10 bytes 788 TCP FINs
Solved! Go to Solution.
10-30-2002 05:25 PM
First off I'd suggest not cutting/pasting your entire PIX config in here, or at the very least x.x.x.x out your outside IP address.
The PIX does not currently support PPTP thru PAT (nat/global). PPTP uses IP protocol 47 (GRE), and the PIX can't PAT these cause there's no TCP/UDP port number to use.
PIX 6.3 code will support it though, but it won't be available till the start of next year. At the moment the only way around your predicament is to define a one-to-one NAT translation for this internal host. Something like:
> static (inside,outside) 217.215.220.222 194.132.183.10 netmask 255.255.255.255 0 0
will do the trick for you, provided 217.215.220.222 routed and available to you. I'd also suggest changing
> access-list acl_outside permit gre any any
to
> access-list acl_outside permit gre host 194.71.189.109 host 217.215.220.222
it's a bit more secure.
10-30-2002 05:25 PM
First off I'd suggest not cutting/pasting your entire PIX config in here, or at the very least x.x.x.x out your outside IP address.
The PIX does not currently support PPTP thru PAT (nat/global). PPTP uses IP protocol 47 (GRE), and the PIX can't PAT these cause there's no TCP/UDP port number to use.
PIX 6.3 code will support it though, but it won't be available till the start of next year. At the moment the only way around your predicament is to define a one-to-one NAT translation for this internal host. Something like:
> static (inside,outside) 217.215.220.222 194.132.183.10 netmask 255.255.255.255 0 0
will do the trick for you, provided 217.215.220.222 routed and available to you. I'd also suggest changing
> access-list acl_outside permit gre any any
to
> access-list acl_outside permit gre host 194.71.189.109 host 217.215.220.222
it's a bit more secure.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: