Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
774
Views
0
Helpful
5
Replies

Cisco Pix and ISA Server 2004

mrrlg
Level 1
Level 1

‎10-04-2005 04:54 PM

I am trying to create a front end back end firewall solution using Pix Version 6.3(5) as my front end and Microsoft ISA server 2004 as my backend. I am trying to pass Microsoft client VPN connections thru the Pix firewall and terminate them on the ISA server. I have added these commands to the Pix.

access-list outside_acl permit tcp any host 64.206.48.XX (external address of Pix)

static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0

22.218.0.xx is the "external interface" of the ISA server. With this configuration, inside users can access the internet, but any attempts to create and terminate a external VPN connection receives the error "remote computer did not respond." What do I need to do to pass pptp and l2tp traffic to the ISA server?

Labels:
0 Helpful
5 Replies 5

jackko
Level 7
Level 7

‎10-04-2005 07:08 PM

you mentioned that 64.206.48.xx is the pix outside int ip and 22.218.0.xx is the isa external int ip. to allow pptp vpn to pass through the pix and terminated on isa, the isa needs a public ip for itself, not sharing with the pix.

the reason being with pptp vpn, you need to allow:

tcp 1723 and gre i.e. ip 50, and port forwarding doesn't support ip 50.

if 22.218.0.xx is a public ip, then you can do:

static (inside,outside) 22.218.0.xx 22.218.0.xx netmask 255.255.255.255 0 0

access-list outside_acl permit gre any host 22.218.0.xx

access-list outside_acl permit tcp any host 22.218.0.xx eq 1723

0 Helpful

mrrlg
Level 1
Level 1
In response to jackko

‎10-05-2005 08:54 AM

The external ip address of the pix firewall is 64.206.48.xx. The external ip address of the ISA Server is 22.218.0.xx. This is not shared with the pix but is in a subnet with an internal interface on the pix. My configuration is as follows:

access-list outside_acl permit tcp any host 64.206.48.XX (external address of Pix)

static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0

access-list outside_acl permit gre any host 22.218.0.xx

access-list outside_acl permit tcp any host 22.218.0.xx eq 1723

After doing this, I received the same error message of the "remote server is not responding" When I check the logs on the ISA server there is no sign of the server receiving a VPN request.

I am not clear on your response, are you suggesting that I publish the ISA server thru the pix firewall? Wouldn't this defeat the purpose of a front end back end firewall solution? Also, when I checked my config on the Pix firewall, eq 1723 was replaced by eq pptp. Do I need to add an additional command to allow l2tp?

0 Helpful

jackko
Level 7
Level 7
In response to mrrlg

‎10-05-2005 06:53 PM

the pptp vpn will not work unless the isa server has a public ip for its own use, not sharing it with pix outside interface. with the existing config, "static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0" will not achieve this.

"static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0" will nat any traffic with destination 64.206.48.xx to 22.218.0.xx. however, at the same time, the same ip 64.206.48.xx is the pix outside interface ip, so the pix will be confused.

normally if you've got only 1 public ip and you need inbound access, you would do port forwarding.

e.g. for inbound www access

static (inside,outside) tcp 80 80 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host eq 80

access-group 100 in interface outside

however, port forwarding doesn't work with vpn. the reason being port forwarding works with tcp and udp, and pptp vpn requires gre i.e. ip 50.

i guess the workaround is either "publish" the isa thru the pix or let the pix handle the vpn.

0 Helpful

mrrlg
Level 1
Level 1
In response to jackko

‎10-05-2005 07:54 PM

Thanks for your reply, I actually have an entire class c range at my disposal for my public ip addressing scheme. So the static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0 is a one to one address match. The public ip address of the pix is not not shared with the the ip address in the statement above.

0 Helpful

jackko
Level 7
Level 7
In response to mrrlg

‎10-13-2005 06:21 PM

providing the 22.218.0.xx is a public ip, and with the following commands:

static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0

access-list outside_acl permit gre any host 22.218.0.xx

access-list outside_acl permit tcp any host 22.218.0.xx eq 1723

access-group outside_acl in interface outside

it should work. try to verify whether the pptp server is setup correctly.

0 Helpful
Customers Also Viewed These Support Documents