Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WinXP / 2k VPN (PPTP) through PIX to Win2k server

Hi,

I've got a customer with an ADSL connection and a PIX 506E. The way that ADSL in this country is (New Zealand), the DSL modem does port forwarding (pinholing) of ports you would like incoming. All ports are forwarded onto the external interface of the PIX, where they are ACL'd and then static NAT'd onto the appropriate internal server.

The problem is that pptp doesn't work. The packets are being forwarded by the modem to the PIX, but the PIX isn't doing anything with them.

Here's the relevant (well, the bits I *think* are relevant) from the config. 192.169.1.253 is the PIX's external interface.

access-list outside_access_in permit tcp any host 192.168.1.253 eq www

access-list outside_access_in permit tcp any host 192.168.1.253 eq ftp

access-list outside_access_in permit tcp any host 192.168.1.253 eq ftp-data

access-list outside_access_in permit tcp any host 192.168.1.253 eq smtp

access-list outside_access_in permit tcp any host 192.168.1.253 eq pop3

access-list outside_access_in permit tcp any host 192.168.1.253 eq 3389

access-list outside_access_in permit gre any host 192.168.1.253

access-list outside_access_in permit tcp any host 192.168.1.253 eq pptp

static (inside,outside) tcp interface www 192.168.0.253 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp 192.168.0.1 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp-data 192.168.0.1 ftp-data netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pptp 192.168.0.253 pptp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 192.168.0.253 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.0.253 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.0.253 3389 netmask 255.255.255.255 0 0

Now, according to this:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

I need a static mapping for all TCP to the internal server? But how do it using a port number? Or is this a situation that it will never work with?

Cheers,

Mike.

4 REPLIES

Re: WinXP / 2k VPN (PPTP) through PIX to Win2k server

You need to understand how PPTP works first.

It transmits PPP through an IP tunnel (GRE). Inside the tunnel, encapsulated in PPP is your IP connection to the Internet(?). When using a PIX you have to extend the tunnel onto your network and terminate it on the inside-host. Obviously, you need one tunnel per host. A PIX is not very useful in this kind of configurations as it does not process the IP payload in the PPP stream. In this kind of setup the PIX will only NAT the IP envelope containing the PPP frames. You will need a PPTP connection for every host on your local LAN and it must be NATted while GRE does not know about ports. Therefore as you have set it up currently, this probably will never work.

New Member

Re: WinXP / 2k VPN (PPTP) through PIX to Win2k server

It will never work in this configuration, PIX doesn't forward GRE when portforwarding NAT is used only TCP and UDP is supported (GRE IP prot 47) which you can verify by trying to issue the command

static (inside,outside) gre interface .... it just don't exist.

You need to have a dedicatet IP address to NAT to, like this

static (inside,outside) 15.15.15.15 192.168.1.253 netmask 255.255.255.255

access-list outside_access_in permit gre any host 192.168.1.253

access-list outside_access_in permit tcp any host 192.168.1.253 eq pptp

or you can configure the PIX as a PPTP server and terminate PPTP sessions to it's outside IP address (if this is an option)

Magnus

New Member

Re: WinXP / 2k VPN (PPTP) through PIX to Win2k server

I went for the PPTP option, it's worked just fine.

New Member

Re: WinXP / 2k VPN (PPTP) through PIX to Win2k server

I was looking at this and have a question as i have a similar problem.When you went for the PPTP option (using your global(outside) ip address as the tunnel terminating point, did you still have to statically map this ?

I asked this cause my clients will first dial up to the internet and will be allocated a public ip address. Does this address have to be mapped to global outside ? do you need more than one global ?

331
Views
0
Helpful
4
Replies
CreatePlease to create content