Configure PIX 501 pptp

Discussion in 'Network Security' started by blair78, Dec 8, 2010.

  1. blair78

    blair78 New Member

    9
    0
    1
    Hi

    I hope someone can help me with this i am trying to configure a pix 501 to allow remote users to access stuff in the office. My experiance with pix is limited so while i have been reading on setting up pptp on the pix i am finding it pretty difficult.

    Thanks in advance for any any help. After a few attempts my current config is

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password XXXXX encrypted
    passwd XXXXXX encrypted
    hostname Blair-Pix
    domain-name blitservices.co.uk
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list incoming-outside permit icmp any any echo
    access-list incoming-outside permit icmp any any echo-reply
    access-list incoming-outside permit tcp any interface outside eq smtp
    access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list 145 permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list 101 permit ip 192.168.100.0 255.255.255.0 any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside XXXXXXXX 255.255.255.252
    ip address inside 192.168.100.168 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-pool 192.168.100.1-192.168.100.10
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp XXXXXXX smtp 192.168.100.190 smtp netmask 255.255.255.255 0 0
    access-group incoming-outside in interface outside
    route outside 0.0.0.0 0.0.0.0 XXXXXXXXX 1
    timeout xlate 0:05:00
    timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set transet1 esp-3des esp-sha-hmac
    crypto map vpnmap 50 ipsec-isakmp
    crypto map vpnmap 50 match address 145
    crypto map vpnmap 50 set peer 91.214.228.50
    crypto map vpnmap 50 set transform-set transet1
    crypto map vpnmap interface outside
    isakmp enable outside
    isakmp key ******** address 91.214.228.50 netmask 255.255.255.252
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    telnet timeout 5
    ssh 192.168.100.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username XXXXXX password *********
    vpdn enable outside
    terminal width 80
    Cryptochecksum:fbc2431d9bd4b5e63bf68f44ee975ebf
    : end
     
  2. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Are you wanting to achieve PPTP pass through to an RRAS Server or do you want the termination end point to be the PIX?
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  3. blair78

    blair78 New Member

    9
    0
    1
    I am trying to pass through to an RRAS server. However i could do with understanding the reasons and benefits for having the pix as the end point
     
  4. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    No need for RRAS. :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  5. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    You need to allow the traffic through to your RRAS server by creating a NAT exemption, so add line:

    static (inside,outside) tcp publicipaddresss 1723 serveripaddress 1723 netmask 255.255.255.255 0 0

    You then need to allow the firewall access list to allow incoming PPTP from the internet, so add line:

    access-list incoming-outside permit tcp any host publicipaddress eq 1723
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  6. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Unfortunately you may need to terminate the pptp on the pix rather than the server. PPTP requires tcp 1723 and gre, so simply permitting and translating tcp 1723 won't work. However, gre is a seperate protocol with no port numbers and in order to translate it through the pix you will need a static translation of an external ip address. If you have only one ip address available that means all inbound traffic that goes through the pix must go to the internal server.

    For example, here is how to permit inbound pptp through a pix 6.3, with an external ip of 1.1.1.1 and an internal pptp server at 2.2.2.2:

    access-list inbound permit gre any host 1.1.1.1
    access-list inbound permit tcp any host 1.1.1.1 eq 1723

    static (inside,outside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255


    Spice Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  7. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Sorry to say this is not correct, I have terminated probably about 20 or so PIX's onto RRAS Servers. Also as well I have not had to addin an exception in for GRE either.

    I normally do a static 1 to 1 NAT translation then define the ports using the firewall ACL but I have seen it done both ways.

    The only other setting which is already in the PIX config which was the fixup protocol pptp 1723
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  8. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  9. blair78

    blair78 New Member

    9
    0
    1

    Thanks craigie. I have tested this and all works great now. Thanks again
     
  10. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Your welcome mate :)
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.