GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: PIX and GRE [7:93446] posted 09/30/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Never mind. I got it to work! See notes below.

Priscilla Oppenheimer wrote:
> 
> cisco4ng wrote:
> > 
> > Upgrade to pix 6.3(1) or 6.3(4)
> 
> Is that the only possibility? The equipment was donated by
> Cisco with no support so we're stuck with 6.2 until we beg and
> plead with Cisco some more.

It wasn't necessary to upgrade.

> 
> I tried everything mentioned by that URL in the other reply.
> Did I get the inside outside stuff inside out? :-) What command
> do I need?

I did have it right. It was an upstream firewall blocking GRE. We fixed that
and voila: success. That URL in the other reply has recommendations that
actually work! Hooray.

Thanks everyone.

Priscilla


> 
> Thanks
> 
> Priscilla
> 
> 
> >  
> > fixup protocol pptp 1723
> >  
> > that will fix your problem
> > 
> > Priscilla Oppenheimer  wrote:
> > Hi GroupStudy,
> > 
> > Any tricks I need to know to get GRE through a PIX?
> > 
> > Client on inside network is on Windows 98 using Microsoft VPN
> > software. This
> > workson his home network, but he needs it to work at work too.
> > From
> > Sniffing, I can see that the VPN software uses PPTP and then
> > GRE.
> > 
> > The PPTP gets through our PIX just fine, but the GRE does not.
> > Sniffing on
> > the outside of the PIX indicates that the PIX is swallowing
> the
> > GRE packets.
> > We thought we had the PIX configured to be open (for now) and
> > not swallowing
> > anything. I tried adding GRE explicitly to the access list to
> > no avail.
> > 
> > Here's a truncated config listing:
> > 
> > PIX Version 6.2(2)
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > nameif ethernet2 dmz security10
> > !
> > access-list DMZ permit ip any any
> > access-list INSIDE permit ip any any
> > access-list INSIDE permit gre any any
> > access-list OPEN permit ip any any
> > access-list OPEN permit gre any any
> > !
> > ip address outside XXX.211.4.9 255.255.255.0
> > ip address inside 192.168.0.1 255.255.255.0
> > ip address dmz XXX.211.102.225 255.255.255.224
> > !
> > global (outside) 1 XXX.211.102.254 netmask 255.255.255.224
> > global (dmz) 1 XXX.211.102.254 netmask 255.255.255.224
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > !
> > access-group OPEN in interface outside
> > access-group INSIDE in interface inside
> > access-group DMZ in interface dmz
> > 
> > Thank-you very much.
> > 
> > Priscilla Oppenheimer
> > Do you Yahoo!?
> > vote.yahoo.com - Register online to vote today!
> > 
> > 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=93455&t=93446
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html