GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: problem with initiating PPTP connection behind a Pix Firew a ll via PAT posted 01/21/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Hi all,

PIX version 6.3 have PPTP fixup.
You can check the 6.3 beta, it should work

Tomer

-----Original Message-----
From: George Hansen [mailto:ghansen@stealthnetwork.com] 
Sent: Friday, December 27, 2002 12:40 AM
To: systemboard@excite.com; security@groupstudy.com
Subject: RE: problem with initiating PPTP connection behind a Pix Firewa ll
via PAT

In PAT with IPSec, when the return ESP traffic comes to the PIX it
doesn't know what to do with it (no specific xlate), so it discards.

With the PIX as an EZVPN client, when the return ESP traffic comes to
the PIX it knows what to do with it (process itself).

All PCs on the PIX internal network have the PIX as their Gateway. The
PIX determines whether to send traffic through the IPSec tunnel or out
to the ISP (assuming you are split-tunnel).

George 


-----Original Message-----
From: Jim [mailto:systemboard@excite.com]
Sent: Thursday, December 26, 2002 2:28 PM
To: George Hansen
Subject: RE: problem with initiating PPTP connection behind a Pix Firewa
ll via PAT





Why does making the PIX with PAT an EZVPN client help with IPSEC pass
through?



JT





 --- On Thu 12/26, George Hansen  wrote:From: George Hansen [mailto:
ghansen@stealthnetwork.com]To: cisco@groupstudy.com,
security@groupstudy.comDate: Thu, 26 Dec 2002 11:33:04 -0800Subject: RE:
problem with initiating PPTP connection behind a Pix    Firewa ll  via
PATI had a similar problem trying to run IPSec through the PIX with
PAT.The answer from TAC was, support only one client (as Justin stated),
getanother static IP, or setup the PIX as an EZVPN client to the
VPNheadend. The downside of the third answer is that the PIX can be
anEZVPN client to only one device at a time.Maybe you could setup your
PIX to be the PPTP client using vpdn, andpass packets through from your
laptop.George-----Original Message-----From: Justin Menga
[mailto:Justin.Menga@nz.logical.com]Sent: Monday, December 23, 2002
10:28 PMTo: eric nguyen; rajett@cisco.com; 'Chuck Church';
cisco@groupstudy.com;security@groupstudy.comSubject: RE: problem with
initiating PPTP connection behind a Pix Firewall via PATHi EricYou can
make it work, but under the following restrictions:1.  You can only
support a single PPTP connection from a single insidehost2.  You need a
static IP addressAll you need to do is configure a static for your
inside host that needsthePPTP connections and map this to the outside IP
address.  I don't thinkthePIX allows you to define static one-to-one
NATs for interfaces (i.e. thestatic NAT dynamically picks up your
outside dynamic IP addressing),hencethe requirement for a static IP
address.  You also need to use an ACL ontheoutside that permits incoming
GRE packets from the PPTP server.  If youhaveany ACLs defined on the
internal interface, you need to permit TCPtrafficto port 1723 on the
PPTP server.Sample config:static (inside,outside) 200.1.1.1
192.168.1.10access-list OUTSIDE permit gre host 210.1.1.1 host
200.1.1.1! This is only required if you have an ACL applied on the
insideinterface! By default, this connection will be permitted from
outside to insideaccess-list INSIDE permit tcp host 192.168.1.10 host
210.1.1.1 eq 1723access-group OUTSIDE in interface outsideaccess-group
INSIDE in interface insideAs indicated in other posts, PAT works with
PPTP on Cisco IOS.  This isbecause Cisco IOS snoops the TCP control
channel for an identifier usedtoidentify a particular PPTP connection,
which is included within the GREheaders of each GRE packet.  I agree the
PIX should support PAT forPPTP,and I have no doubt it probably will at
some stage as it is supported inIOS.HTHJustin-----Original
Message-----From: eric nguyen [mailto:checkpointgeek@yahoo.com] Sent:
Saturday, December 21, 2002 4:27 PMTo: rajett@cisco.com; 'Chuck Church';
cisco@groupstudy.com;security@groupstudy.comSubject: RE: problem with
initiating PPTP connection behind a PixFirewallvia PATThanks for the
info. This absolutely sucks.  I am sure there are many folks out there
withbroadband connection like myself, cable modem or DSL, that has only
oneexternal IP address.  Those folks might be using Cisco Pix501, Pix506
or Pix506E fortheir home firewall.  I am sure they need to connect to
their corporatenetwork via PPTP just like myself. Now I have no choice
but to switchbackto my Linux firewall. Pix firewall, what a piece of
shit.  For an expensive productlikethat, you would think that Cisco
makes an effort to make PPTP work viaPAT.Enough of me venting off my
frustration.  Thanks everyone for your help.Eric  "Raymond Jett
(rajett)"  wrote:Hmmm.... To quotecisco.com...PPTP through the PIX with
Port Address Translation (PAT) does not workbecause there is no concept
of ports in GRE.That was
from:http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_conf
iguration_example09186a0080094a5a.shtmlThis URL shows you how to do it
with NAT...Although, interestingly enough... You can do it with
IOS:http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configurati
on_example09186a00800949c0.shtmlWatch the word wrap on the
URLs!Raymond-----Original Message-----From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf OfericnguyenSent: Friday,
December 20, 2002 8:59 PMTo: Chuck Church; cisco@groupstudy.com;
security@groupstudy.comSubject: Re: problem with initiating PPTP
connection behind a PixFirewallvia PATChuck,I did try the
following:static (inside,outside) tcp interface 1723 172.16.1.100 1723
netmask255.255.255.255 0 0 access-list 100 permit ip any any access-list
100permitgre any any access-list 100 permit icmp any any access-group
100 ininterface outside it still doesn't work. The example you provided
has todowith Cisco IOS. Pix is not the same as Cisco IOS even though it
comesfromthe same company. This is really frustrating. I feel like I am
being"ripped-off" by Cisco Pix firewall (even though I am running a
clone, there is no way in hell that Ciscowillsupport it). It is really
amazing that an expensive product like thisonedoesn't support PPTP with
PAT (to my knowlegde). Even Linux firewallsupports PPTP over PAT. I feel
like I am hitting a brick wall here.Pleasehelp. Eric Chuck Church
wrote:Eric,To get PPTP to work with PAT, you need to play with it like
you do withIPSec. Check
out:http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configurati
on_example09186a00800949c0.shtmlYou need to statically map TCP 1723 on
the outside to your inside PC,sameport. At one time I thought it needed
GRE, but I don't see it listed onthatdoc. HTH.Chuck ChurchCCIE #8776,
MCNE, MCSE----- Original Message -----From: "Neil Moore" To: "eric
nguyen" ; ;Sent: Friday, December 20, 2002 5:58 PMSubject: Re: problem
with initiating PPTP connection behind a PixFirewallvia PAT> Its all
broken... I will give you 500 bux for that pix ..no problem!>
----------------------------------------> Neil Moore CCIE#10044> -----
Original Message -----> From: "eric nguyen"> To: ;> Sent: Friday,
December 20, 2002 4:47 PM> Subject: problem with initiating PPTP
connection behind a Pix Firewallvia> PAT>>> > I just replace my home
linux "iptables" firewall fwith a "franken"> > pix> firewall> >> >
(700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM2.1(1).>
>> > My internal network is 172.16.1.0/24 with the "inside" interface
of> > the> firewall is> >> > 172.16.1.254. The "outside" interface of
the firewall is 4.64.1.100.> > I> also have> >> > a "dmz" 172.17.1.0/24
network with the Pix interface IP of> > 172.17.1.254.> Machines> >> > on
both the "inside" and "dmz" access the Internet via Port Address>
Translation> >> > (PAT) to the "outside" interface and it seems to work
OK. On the"inside"> network,> >> > I have a Websense filter server (IP
172.16.1.2) to do url filtering> > for> both the "inside"> >> > and
"outside" interface. I use Websense server to filter out> > traffics>
that I don't want> >> > my children to see. Everything is working great
with a minorexception:> >> > I need to make a PPTP connection from a
laptop on the "inside"> > network(IP> >> > 172.16.1.100) to a PPTP
server at my work place. The problem is thatthe> >> > connection keeps
timing out. The connection time out at the "verify> username and> >> >
password". To make sure that this is not a problem with my laptop,
Ihook> my> >> > laptop directly to the cable modem (I have roadrunner).
Since my> > laptop> has a valid> >> > external IP address, PPTP works.
If I place the laptop on the> > "inside"> network> >> > behind the
"franken" pix, PPTP doesn't work. I even make the> > firewall>
"wide-open" for> >> > both inbound and outbound and it still doesn't
work. Now if I> > replacethe> "franken"> >> > pix firewall with a linux
firewall, PPTP works just fine through IP> masquerading which> >> > is
equivalent to PAT.> >> > My question is this: has anyone been able to
successfully initiate aPPTP> >> > from behind a Pix firewall via Port
Address Translation (PAT)? Does> > it> even work> >> > at all with PAT?
I am starting to have serious doubt with Cisco Pix> firewall. It costs>
>> > me $500 to build this "franken" pix firewall. With the CPU, memory>
> and> flash, this> >> > "franken" pix is equivalent to a Cisco Pix525
(minus the Gigabit> Interface) and it can> >> > not even do a simple
thing like allowing PPTP through PAT. My linux> firewall is> >> >
running on a Pentium 90Mhz with 64MB of RAM and PPTP works just> >
fine,and> it> >> > costs me $20 for that old system.> >> > I think PPTP
will work with static NAT but I don't have an extra> > publicIP> to
spare.> >> > If anyone has PPTP works through PAT, please reply.
Thanks.> >> > Eric.> >> > Here is my Pix configuration> >> >
HERNDON-PIX# wr t> >> > Building configuration...> >> > : Saved> >> > :>
>> > PIX Version 6.2(2)> >> > nameif ethernet0 outside security0> >> >
nameif ethernet1 inside security100> >> > nameif ethernet2 dmz
security99> >> > nameif ethernet3 dmz2 security98> >> > enable password
***************** encrypted> >> > passwd *********************
encrypted> >> > hostname HOME-PIX> >> > domain-name home.com> >> > clock
timezone est -5> >> > clock summer-time est date Apr 6 2002 19:00 Oct 26
2002 19:00> >> > fixup protocol ftp 21> >> > fixup protocol http 80> >>
> fixup protocol h323 h225 1720> >> > fixup protocol h323 ras 1718-1719>
>> > fixup protocol ils 389> >> > fixup protocol rsh 514> >> > fixup
protocol rtsp 554> >> > fixup protocol smtp 25> >> > fixup protocol
sqlnet 1521> >> > fixup protocol sip 5060> >> > fixup protocol skinny
2000> >> > names> >> > access-list compiled> >> > access-list 100 permit
icmp any any> >> > access-list 100 permit ip any any> >> > access-list
100 permit gre any any> >> > access-list 101 permit ip any any> >> >
access-list 101 permit icmp any any> >> > access-list 101 permit gre any
any> >> > access-list 200 permit ip any any> >> > access-list 200 permit
icmp any any> >> > access-list 200 permit gre any any> >> > pager lines
24> >> > logging on> >> > logging timestamp> >> > logging monitor
debugging> >> > logging trap notifications> >> > logging facility 23> >>
> logging queue 1024> >> > logging host inside 172.16.1.2> >> >
interface ethernet0 auto> >> > interface ethernet1 100full> >> >
interface ethernet2 100full> >> > interface ethernet3 100full shutdown>
>> > mtu outside 1500> >> > mtu inside 1500> >> > mtu dmz 1500> >> > mtu
dmz2 1500> >> > ip address outside 4.64.1.100 255.255.252.0> >> > ip
address inside 172.16.1.254 255.255.255.0> >> > ip address dmz
172.17.1.254 255.255.255.0> >> > ip address dmz2 127.0.0.1
255.255.255.255> >> > ip verify reverse-path interface outside> >> > ip
verify reverse-path interface inside> >> > ip audit name inside-attack
attack action alarm> >> > ip audit name inside-info info action alarm>
>> > ip audit interface outside inside-info> >> > ip audit interface
outside inside-attack> >> > ip audit interface inside inside-info> >> >
ip audit interface inside inside-attack> >> > ip audit info action
alarm> >> > ip audit attack action alarm> >> > no failover> >> >
failover timeout 0:00:00> >> > failover poll 15> >> > failover ip
address outside 0.0.0.0> >> > failover ip address inside 0.0.0.0> >> >
failover ip address dmz 0.0.0.0> >> > failover ip address dmz2 0.0.0.0>
>> > pdm history enable> >> > arp timeout 14400> >> > global (outside) 1
interface> >> > nat (inside) 1 172.16.1.0 255.255.255.0 0 0> >> > nat
(dmz) 1 172.17.1.0 255.255.255.0 0 0> >> > static (inside,dmz)
172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0> >> > access-group 100
in interface outside> >> > access-group 101 in interface inside> >> >
access-group 200 in interface dmz> >> > route outside 0.0.0.0 0.0.0.0
4.64.1.1 1> >> > timeout xlate 3:00:00> >> > timeout conn 1:00:00
half-closed 0:10:00 udp 0:02:00 rpc 0:10:00> > h323> 0:05:00 sip 0:30:00
sip_media 0:02:00> >> > timeout uauth 0:05:00 absolute> >> > aaa-server
TACACS+ protocol tacacs+> >> > aaa-server RADIUS protocol radius> >> >
aaa-server LOCAL protocol local> >> > url-server (inside) vendor
websense host 172.16.1.2 timeout 5> > protocolTCP> version 1> >> >
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0> >> > ntp server 4.2.2.2
source outside> >> > ntp server 172.16.1.2 source inside> >> > http
server enable> >> > http 0.0.0.0 0.0.0.0 outside> >> > http 0.0.0.0
0.0.0.0 inside> >> > snmp-server host inside 172.16.1.2> >> >
snmp-server location Home> >> > snmp-server contact Eric Nguyen> >> >
snmp-server community home> >> > snmp-server enable traps> >> >
tftp-server inside 172.16.1.2 /> >> > floodguard enable> >> > no sysopt
route dnat> >> > telnet 0.0.0.0 0.0.0.0 inside> >> > telnet timeout 60>
>> > ssh 0.0.0.0 0.0.0.0 outside> >> > ssh 0.0.0.0 0.0.0.0 inside> >> >
ssh timeout 60> >> > terminal width 80> >> >
Cryptochecksum:9ccb719c169af814515292a4bf0a9023> >> > : end> >> > [OK]>
>> > HERNDON-PIX#> >> >> >> > ---------------------------------> > Do
you Yahoo!?> > Yahoo! Mail Plus - Powerful. Affordable. Sign up
now---------------------------------Do you Yahoo!?Yahoo! Mail Plus -
Powerful. Affordable. Sign up now---------------------------------Do you
Yahoo!?Yahoo! Mail Plus - Powerful. Affordable. Sign up now

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!