10-04-2005 04:54 PM
I am trying to create a front end back end firewall solution using Pix Version 6.3(5) as my front end and Microsoft ISA server 2004 as my backend. I am trying to pass Microsoft client VPN connections thru the Pix firewall and terminate them on the ISA server. I have added these commands to the Pix.
access-list outside_acl permit tcp any host 64.206.48.XX (external address of Pix)
static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0
22.218.0.xx is the "external interface" of the ISA server. With this configuration, inside users can access the internet, but any attempts to create and terminate a external VPN connection receives the error "remote computer did not respond." What do I need to do to pass pptp and l2tp traffic to the ISA server?
10-04-2005 07:08 PM
you mentioned that 64.206.48.xx is the pix outside int ip and 22.218.0.xx is the isa external int ip. to allow pptp vpn to pass through the pix and terminated on isa, the isa needs a public ip for itself, not sharing with the pix.
the reason being with pptp vpn, you need to allow:
tcp 1723 and gre i.e. ip 50, and port forwarding doesn't support ip 50.
if 22.218.0.xx is a public ip, then you can do:
static (inside,outside) 22.218.0.xx 22.218.0.xx netmask 255.255.255.255 0 0
access-list outside_acl permit gre any host 22.218.0.xx
access-list outside_acl permit tcp any host 22.218.0.xx eq 1723
10-05-2005 08:54 AM
The external ip address of the pix firewall is 64.206.48.xx. The external ip address of the ISA Server is 22.218.0.xx. This is not shared with the pix but is in a subnet with an internal interface on the pix. My configuration is as follows:
access-list outside_acl permit tcp any host 64.206.48.XX (external address of Pix)
static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0
access-list outside_acl permit gre any host 22.218.0.xx
access-list outside_acl permit tcp any host 22.218.0.xx eq 1723
After doing this, I received the same error message of the "remote server is not responding" When I check the logs on the ISA server there is no sign of the server receiving a VPN request.
I am not clear on your response, are you suggesting that I publish the ISA server thru the pix firewall? Wouldn't this defeat the purpose of a front end back end firewall solution? Also, when I checked my config on the Pix firewall, eq 1723 was replaced by eq pptp. Do I need to add an additional command to allow l2tp?
10-05-2005 06:53 PM
the pptp vpn will not work unless the isa server has a public ip for its own use, not sharing it with pix outside interface. with the existing config, "static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0" will not achieve this.
"static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0" will nat any traffic with destination 64.206.48.xx to 22.218.0.xx. however, at the same time, the same ip 64.206.48.xx is the pix outside interface ip, so the pix will be confused.
normally if you've got only 1 public ip and you need inbound access, you would do port forwarding.
e.g. for inbound www access
static (inside,outside) tcp
access-list 100 permit tcp any host
access-group 100 in interface outside
however, port forwarding doesn't work with vpn. the reason being port forwarding works with tcp and udp, and pptp vpn requires gre i.e. ip 50.
i guess the workaround is either "publish" the isa thru the pix or let the pix handle the vpn.
10-05-2005 07:54 PM
Thanks for your reply, I actually have an entire class c range at my disposal for my public ip addressing scheme. So the static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0 is a one to one address match. The public ip address of the pix is not not shared with the the ip address in the statement above.
10-13-2005 06:21 PM
providing the 22.218.0.xx is a public ip, and with the following commands:
static (inside, outside) 64.206.48.xx 22.218.0.xx netmask 255.255.255.255 0 0
access-list outside_acl permit gre any host 22.218.0.xx
access-list outside_acl permit tcp any host 22.218.0.xx eq 1723
access-group outside_acl in interface outside
it should work. try to verify whether the pptp server is setup correctly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide