Can I create a PPTP VPN and a client connection on a PIX 501 with a PPPOE client connection to my ISP. The PPPOE ip is dynamic and the VPN will have a static IP. They gave me a username and password for the VPN and PPPOE. The also gave me a ip for the VPN server.
What needs to happen is that the PPPOE must connect for the VPN to work.
I can only get the PPPOE up, but dont know how to do this with a PPTP VPN together.
Here is my config:
PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxx encrypted passwd xxxxxxx encrypted hostname neveroff domain-name neveroff.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list incoming permit icmp any any echo-reply access-list incoming permit icmp any any source-quench access-list incoming permit icmp any any unreachable access-list incoming permit icmp any any time-exceeded pager lines 24 icmp permit any echo outside icmp permit any unreachable outside icmp permit any time-exceeded outside icmp permit any source-quench outside icmp permit any echo-reply outside icmp permit any information-reply outside icmp permit any mask-reply outside icmp permit any timestamp-reply outside mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) tcp interface smtp 192.168.1.201 smtp netmask 255.255.255.255 0 0 access-group incoming in interface outside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 console timeout 0 vpdn group pppoex request dialout pppoe vpdn group pppoex localname xxxxxxxxx vpdn group pppoex ppp authentication chap vpdn username xxxxxxxx password xxxxxxxx dhcpd address 192.168.1.10-192.168.1.41 inside dhcpd dns 192.168.1.1 220.127.116.11 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username neveroff password TEnlGTQMwqamBzMn encrypted privilege 2 terminal width 80 Cryptochecksum:c5bfafa70f21ed55cc1b3df377e110bf : end
PIX firewall can not act as a PPTP client, only PC/laptop can act as a PPTP client.
I don't quite understand what you mean by VPN will have static IP? Are you trying to connect to your ISP via PPTP? or you would like to connect to your PIX remotely via PPTP? PIX firewall can be configured as PPTP server, but not as PPTP client.
OK, that makes sense. But I don't know how the ISP will assign static ip address for your PPTP server, how would the routing work? How would they route the static IP address, and how would you connect that to the ISP?
In any case, if you are going to passthrough PPTP traffic via the PIX, you would need to configure the following:
1) Static port address redirection for TCP/1723
2) "fixup protocol pptp 1723" to allow the PIX to automatically create GRE tunnel after the PPTP control connection.
3) ACL on the outside interface to allow TCP/1723 through.
Please check out the command reference for "fixup protocol pptp 1723":
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...