Re: PIX and GRE [7:93446] posted 09/30/2004
- Subject: Re: PIX and GRE [7:93446]
- From: "Priscilla Oppenheimer" <nobody@xxxxxxxxxxxxxx>
- Date: Thu, 30 Sep 2004 23:21:49 GMT
Never mind. I got it to work! See notes below.
Priscilla Oppenheimer wrote:
> cisco4ng wrote:
> > Upgrade to pix 6.3(1) or 6.3(4)
> Is that the only possibility? The equipment was donated by
> Cisco with no support so we're stuck with 6.2 until we beg and
> plead with Cisco some more.
It wasn't necessary to upgrade.
> I tried everything mentioned by that URL in the other reply.
> Did I get the inside outside stuff inside out? :-) What command
> do I need?
I did have it right. It was an upstream firewall blocking GRE. We fixed that
and voila: success. That URL in the other reply has recommendations that
actually work! Hooray.
> > fixup protocol pptp 1723
> > that will fix your problem
> > Priscilla Oppenheimer wrote:
> > Hi GroupStudy,
> > Any tricks I need to know to get GRE through a PIX?
> > Client on inside network is on Windows 98 using Microsoft VPN
> > software. This
> > workson his home network, but he needs it to work at work too.
> > From
> > Sniffing, I can see that the VPN software uses PPTP and then
> > GRE.
> > The PPTP gets through our PIX just fine, but the GRE does not.
> > Sniffing on
> > the outside of the PIX indicates that the PIX is swallowing
> > GRE packets.
> > We thought we had the PIX configured to be open (for now) and
> > not swallowing
> > anything. I tried adding GRE explicitly to the access list to
> > no avail.
> > Here's a truncated config listing:
> > PIX Version 6.2(2)
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > nameif ethernet2 dmz security10
> > !
> > access-list DMZ permit ip any any
> > access-list INSIDE permit ip any any
> > access-list INSIDE permit gre any any
> > access-list OPEN permit ip any any
> > access-list OPEN permit gre any any
> > !
> > ip address outside XXX.211.4.9 255.255.255.0
> > ip address inside 192.168.0.1 255.255.255.0
> > ip address dmz XXX.211.102.225 255.255.255.224
> > !
> > global (outside) 1 XXX.211.102.254 netmask 255.255.255.224
> > global (dmz) 1 XXX.211.102.254 netmask 255.255.255.224
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > !
> > access-group OPEN in interface outside
> > access-group INSIDE in interface inside
> > access-group DMZ in interface dmz
> > Thank-you very much.
> > Priscilla Oppenheimer
> > Do you Yahoo!?
> > vote.yahoo.com - Register online to vote today!
Message Posted at:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html