PPTP and PIX

Hello

I have a Microsoft PC on the local network and want to connect via the PPTP VPN connection with another network. I know that I must leave the port TCP 1723, and ID 47 (GRE) from inside the network. Of course require NAT this PC.

But how to activate ID 47 in PIX configuration?

I thank.

cciesec list access permit tcp any any eq newspaper 1723

access-list cciesec allow accord any any newspaper

cciesec access to the interface inside group

fixup protocol pptp 1723

Easy right?

Tags: Cisco Security

Similar Questions

Connectivity problems from site to Site - ASA and PIX

I'm trying to set up a tunnel between the ASA and PIX but I have some difficulty.

On the side of the ASA

June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, error QM WSF (P2 struct & 0xc9309260, mess id 0x7e79b74e).

June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, peer table correlator Removing failed, no match!

June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, Session is be demolished. Reason: Phase 2
On the side of PIX

ISAKMP (0): the total payload length: 37
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
Exchange OAK_MM
ISAKMP (0): processing ID payload. Message ID = 0
ISAKMP (0): HASH payload processing. Message ID = 0
ISAKMP (0): load useful treatment vendor id

ISAKMP (0): Peer Remote supports dead peer detection

ISAKMP (0): SA has been authenticated.

ISAKMP (0): start Quick Mode Exchange, M - ID - 813626169:cf810cc7IPSEC (key_engine): had an event of the queue...
IPSec (spi_response): spi 0xbb1797c2 graduation (3138885570) for SA
from 63.143.77.114 to 190.213.57.203 for prot 3

to return to the State is IKMP_NO_ERROR
ISAKMP (0): send to notify INITIAL_CONTACT
ISAKMP (0): sending message 24578 NOTIFY 1 protocol
Peer VPN: ISAKMP: approved new addition: ip:63.143.77.114/500 Total VPN peers: 2
Peer VPN: ISAKMP: ip:63.143.77.114/500 Ref cnt is incremented to peers: 1 Total VPN peers: 2
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 Protocol 3
SPI 0, message ID = 2038434904
to return to the State is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. Message ID = 1798094647, spi size = 16
ISAKMP (0): delete SA: src 190.213.57.203 dst 63.143.77.114
to return to the State is IKMP_NO_ERR_NO_TRANS
ISADB: Reaper checking HIS 0x11fa6fc, id_conn = 0
ISADB: Reaper checking HIS 0x121ac3c, id_conn = 0 DELETE IT!

Peer VPN: ISAKMP: ip:63.143.77.114/500 Ref cnt decremented to peers: 0 Total of VPN peers: 2
Peer VPN: ISAKMP: deleted peer: ip:63.143.77.114/500 VPN Total peers:1IPSEC (key_engine): had an event of the queue...
IPSec (key_engine_delete_sas): rec would remove the ISAKMP notify
IPSec (key_engine_delete_sas): remove all SAs shared with 63.143.77.114

The ASA configuration

ASA Version 8.2 (5)

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.102.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 63.143.77.114 255.255.255.252

!

passive FTP mode

clock timezone IS - 5

DNS lookup field inside

DNS domain-lookup outside

DNS server-group DefaultDNS

domain lexlocal

object-group service DM_INLINE_SERVICE_3

the eq https tcp service object

the eq telnet tcp service object

ICMP service object

the purpose of the service tcp - udp eq www

the udp service object

object-group service DM_INLINE_SERVICE_5

the udp service object

the tcp service object

the purpose of the service tcp - udp eq www

the purpose of the service tcp eq www

the purpose of the service udp eq www

ICMP service object

object-group service DM_INLINE_SERVICE_8

the eq https tcp service object

the purpose of the service tcp - udp eq www

object-group Protocol DM_INLINE_PROTOCOL_1

ip protocol object

object-protocol udp

object-tcp protocol

object-group service DM_INLINE_SERVICE_4

the purpose of the service tcp - udp eq www

the eq https tcp service object

EQ-tcp smtp service object

the purpose of the udp eq snmp service

the purpose of the ip service

ICMP service object

object-group Protocol DM_INLINE_PROTOCOL_2

ip protocol object

object-protocol udp

object-tcp protocol

object-group Protocol DM_INLINE_PROTOCOL_3

ip protocol object

object-protocol udp

object-tcp protocol

inside_nat0_outbound list of allowed ip extended access all VPN_Access 255.255.255.240

access extensive list ip 192.168.102.0 inside_nat0_outbound allow Barbado-internal 255.255.255.0 255.255.255.0

inside_nat0_outbound list of allowed ip extended access all VPN_Access 255.255.255.192

access extensive list ip 192.168.102.0 inside_nat0_outbound allow 255.255.255.0 JA_Office_Internal 255.255.255.0

access extensive list ip 192.168.102.0 inside_nat0_outbound allow 255.255.255.0 P.O.S_Office_internal 255.255.255.0

outside_authentication list extended access allowed object-group DM_INLINE_PROTOCOL_3 all all idle state

inside_access_in access-list extended ip any any idle state to allow

inside_access_in list extended access allowed object-group host Jeremy DM_INLINE_SERVICE_5 all

inside_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 192.168.102.0 255.255.255.0 any

inside_access_in list extended access allowed object-group DM_INLINE_PROTOCOL_1 192.168.102.0 255.255.255.0 192.168.102.0 255.255.255.0

outside_access_in list extended access allowed object-groups DM_INLINE_PROTOCOL_2 host interface idle outside Jeremy

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_4 any external interface

extended access list ip 255.255.255.0 Barbado-internal outside_access_in allow 192.168.102.0 255.255.255.0

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_8 any inactive external interface

IP JA_Office_Internal 255.255.255.0 JA_Office_Internal 255.255.255.0 allow Access-list extended outside_access_in

IP P.O.S_Office_internal 255.255.255.0 P.O.S_Office_internal 255.255.255.0 allow Access-list extended outside_access_in

access extensive list ip 192.168.102.0 outside_1_cryptomap allow Barbado-internal 255.255.255.0 255.255.255.0

access extensive list ip 192.168.102.0 outside_2_cryptomap allow 255.255.255.0 JA_Office_Internal 255.255.255.0

access extensive list ip 192.168.102.0 outside_3_cryptomap allow 255.255.255.0 P.O.S_Office_internal 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask of local pool remote_users 192.168.200.1 - 192.168.200.10 IP 255.255.255.0

mask of local pool VPN_IPs 192.168.200.25 - 192.168.200.50 IP 255.255.255.248

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 63.143.77.113 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

AAA authentication match outside the LOCAL outside_authentication

Enable http server

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Sysopt connection timewait

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 200.50.87.198

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

card crypto outside_map 2 match address outside_2_cryptomap

card crypto outside_map 2 set pfs

peer set card crypto outside_map 2 66.54.113.191

card crypto outside_map 2 game of transformation-ESP-3DES-SHA

card crypto outside_map 3 match address outside_3_cryptomap

card crypto outside_map 3 set pfs

peer set card crypto outside_map 3 190.213.57.203

card crypto outside_map 3 game of transformation-ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

authentication crack

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 50

preshared authentication

the Encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP disconnect - notify

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd address 192.168.102.30 - 192.168.102.50 inside

dhcpd dns 66.54.116.4 66.54.116.5 interface inside

dhcpd allow inside

!

dhcpd dns 66.54.116.4 66.54.116.5 outside interface

!

a basic threat threat detection

Statistics-list of access threat detection

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

WebVPN

allow outside

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

VPN-tunnel-Protocol svc

lexlocal value by default-field

WebVPN

SVC keepalive no

internal DefaultRAGroup_1 group strategy

attributes of Group Policy DefaultRAGroup_1

Protocol-tunnel-VPN l2tp ipsec

lexlocal value by default-field

WebVPN

SVC keepalive no

internal VPN_Tunnel_Client group strategy

attributes of Group Policy VPN_Tunnel_Client

value of server DNS 192.168.102.1

Protocol-tunnel-VPN IPSec l2tp ipsec svc

lexlocal value by default-field

username VPN_Connect password 6f7B + J8S2ADfQF4a/CJfvQ is nt encrypted

username VPN_Connect attributes

type of nas-prompt service

xxxxex iFxSRrE9uIWAFjJE encrypted password username

attributes global-tunnel-group DefaultRAGroup

address pool remote_users

address pool VPN_IPs

Group Policy - by default-DefaultRAGroup_1

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared key *.

tunnel-group 200.50.87.198 type ipsec-l2l

IPSec-attributes tunnel-group 200.50.87.198

pre-shared key *.

type tunnel-group VPN_Tunnel_Client remote access

attributes global-tunnel-group VPN_Tunnel_Client

address pool remote_users

Group Policy - by default-VPN_Tunnel_Client

IPSec-attributes tunnel-group VPN_Tunnel_Client

pre-shared key *.

tunnel-group 66.54.113.191 type ipsec-l2l

IPSec-attributes tunnel-group 66.54.113.191

pre-shared key *.

tunnel-group 190.213.57.203 type ipsec-l2l

IPSec-attributes tunnel-group 190.213.57.203

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

Review the ip options

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

PIX configuration

lexmailserver name 192.168.1.3

name 192.168.1.120 Lextt-SF

name 192.168.1.6 Lextt-ms

name 192.168.100.0 Barbados

name 192.168.102.0 Data_Center_Internal

outside_access_in tcp allowed access list any interface outside eq smtp

outside_access_in tcp allowed access list any interface outside eq www

outside_access_in tcp allowed access list any interface outside eq https

inside_outbound_nat0_acl ip access list allow any 192.168.2.0 255.255.255.224

permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 Barbado

permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 Data_Ce

permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 Barbados 25

permit 192.168.1.0 ip access list outside_cryptomap_40 255.255.255.0 Data_Center

pager lines 24

opening of session

debug logging in buffered memory

logging trap information

logging out of the 190.213.57.203 host

Outside 1500 MTU

Within 1500 MTU

external IP 190.213.57.203 255.255.255.0

IP address inside 192.168.1.1 255.255.255.0

IP verify reverse path to the outside interface

alarm action IP verification of information

alarm action attack IP audit

IP local pool vpn_pool 192.168.2.0 - 192.168.2.20

no failover

failover timeout 0:00:00

failover poll 15

No IP failover outdoors

No IP failover inside

PDM location lexmailserver 255.255.255.255 outside

location of PDM Lextt-ms 255.255.255.255 outside

location of PDM 192.168.2.0 255.255.255.224 outside

location of PDM 200.50.87.198 255.255.255.255 outside

PDM location Barbados 255.255.255.0 inside

location of PDM 255.255.255.255 Lextt-SF on the inside

PDM location 255.255.255.0 outside Barbados

location of PDM 255.255.255.255 Lextt-ms on the inside

location of PDM Data_Center_Internal 255.255.255.0 outside

PDM 100 logging alerts

history of PDM activate

ARP timeout 14400

Global interface 10 (external)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 10 192.168.1.0 255.255.255.0 0 0

public static tcp (indoor, outdoor) interface smtp smtp Lextt-SF netmask 255.255.255.255

public static tcp (indoor, outdoor) interface www Lextt-ms www netmask 255.255.255.255 0

public static tcp (indoor, outdoor) interface Lextt-ms https netmask 255.255.255.2 https

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 190.213.73.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

AAA authentication enable LOCAL console

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.1.0 255.255.255.0 inside

Barbados 255.255.255.0 HTTP inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Sysopt connection permit-pptp

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

outside_map 20 ipsec-isakmp crypto map

card crypto outside_map 20 match address outside_cryptomap_20

peer set card crypto outside_map 20 200.50.87.198

outside_map card crypto 20 the transform-set ESP-DES-MD5 value

outside_map 40 ipsec-isakmp crypto map

card crypto outside_map 40 correspondence address outside_cryptomap_40

peer set card crypto outside_map 40 63.143.77.114

outside_map card crypto 40 the transform-set ESP-DES-MD5 value

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 200.50.87.198 netmask 255.255.255.255

ISAKMP key * address 63.143.77.114 netmask 255.255.255.255

part of pre authentication ISAKMP policy 20

encryption of ISAKMP policy 20

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

Telnet timeout 5

If you haven't already done so, you must clear the SAs Phase I on both sides after you make a change to the map. Once the Phase I SA has been cleared, he renegotiate and reset Phase II. If you alerady made this, the only other thing I can think is manually re-enter the secrets disclosed in advance on tunnel groups then erase both the Phase I and Phase II SAs.

WRT320N - support for PPTP and L2PT DCHP?

Hello, I bought this router and facing the problem - how to establish an internet connection. My ISP supports only DHCP for PPTP and L2TP, it gave me the URL (vpn.corbina.net and tp.corbina.net). I found a topic in a local forum with an explanation how to establish an internet connection with the same ISP, but for wrt610n. The basic configuration page is the same for these two routers, but my router is not working, nor with L2TP or PPTP settings. It is unable to connect to both servers, and that's all. With 'ping', I found the IP addresses of these servers.

Currently I use wl520gc from asus, and it supports DHCP for vpn and have no problem with it.

Maybe you have some ideas how to solve this problem.

Ok. I found the error, I have not found correctly the server ip. Now I know, everything works.

Thanks for help. Sorry for the inconvenience. Good day.

to remove all of our vids and pix?

My kid deleted all our family videos and pix. can I find them here and restore them? How?

Backups may be your best option. There are people hell-bent on "safeguards" so. I think you know what it is now.

Look in the Recycle Bin - always there? Restore them.

Not in the trash? May be able to use somehting like "Recuva" to recover things.

VPN between cisco unified customer 3.6.3 and Pix 501 6.2 (1) with the MS CA server

Hello

I have Microsoft CA server with the latest support CEP and pix 501 that gets the digital certificate. I also have the client certificate of Cisco, but VPN doesn't work

In the IPSec Log Viewer, I constantly "CM_IKE_ESTABLISH_FAIL."

It worked well prior to Win2k server has been completely updated with the latest patches.

The pix configuration is identical to that of article http://www.cisco.com/warp/public/471/configipsecsmart.html

I reinstall the stand-alone CA and support CEP server but not had any luck.

What could be wrong?

It looks like IKE implementation problem. Make DH group 2 policy ISAKMP.

Visit this link:

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_v53/IPSec/exvpncl.htm

506th PIX, PPTP and Windows 98

Hello

Customer cannot run IPSEC (long story), so we will try to use the 'customer' Microsoft PPTP to end their VPN on a PIX506E. To simplify things, we went with local authentication (RADIUS proved problematic on the Win2k Server).

It works very well from an XP machine, but not Windows 98 - I get the message "Error 691", which means that the PIX is actively rejecting the login/password (i.e. the packets arrive on the PIX ok, I can see them in a debugging).

Here, someone suggested that the machines Windows 98, which were connected to the field will add the domain name, IE. DOMAIN/username, rather than just the user name. I tried to create a local section for this combination, but without success.

Anyone had similar problems or know a workaround?

I get the engineer tomorrow to review RADIUS authentication (regardless of this problem, I want to disable the PIX), will that help may be?

See you soon,.

Mike.

Who told you that it adds the name is quite correct. You can see the exact user name password that sends your pc windows 98 if you turn on loggin on the connection. The journal name is ppp.log. Take a look at this log after trying to connect and you will see the exact user name being sent, which is him you will need to put in your pix. You might want to retype your password for the user on the pix as well.

Kurtis Durrett

VPN PPTP and PPPOE CLIENT ON PIX 501

Hello

Can I create a PPTP VPN and a client connection on a PIX 501 with a client to my ISP PPPOE connection. The PPPOE ip is dynamic and the VPN will be a static IP address. They gave me a username and password for VPN and PPPOE. Him also gave me an ip address for the VPN server.

Should that happen, it's that the PPPOE should connect to the VPN to work.

I can only get the PPPOE, but I don't know how to do this with a PPTP VPN set.

Here is my config:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxx encrypted
hostname neveroff
domain-name neveroff.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list incoming permit icmp any any echo-reply
access-list incoming permit icmp any any source-quench
access-list incoming permit icmp any any unreachable
access-list incoming permit icmp any any time-exceeded
pager lines 24
icmp permit any echo outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any source-quench outside
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any timestamp-reply outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.1.201 smtp netmask 255.255.255.255 0 0
access-group incoming in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname xxxxxxxxx
vpdn group pppoex ppp authentication chap
vpdn username xxxxxxxx password xxxxxxxx
dhcpd address 192.168.1.10-192.168.1.41 inside
dhcpd dns 192.168.1.1 168.210.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username neveroff password TEnlGTQMwqamBzMn encrypted privilege 2
terminal width 80
Cryptochecksum:c5bfafa70f21ed55cc1b3df377e110bf
: end

Thank you

Etienne

Happy to help and please kindly mark the message as answered if you have not more than other questions. Thank you.

Outdoor access for users of PPTP on PIX

Hello everyone I have a PIX 506 6.3 (5) software running and configured to accept PPTP VPN from outside connections. It works very well, the PPTP users get a local IP address of the configured pool and can access inside the hosts as expected. What I want now, is that PPTP users can access the internet from here like inside hosts using dynamic NAT to the external interface. On ASA5505 this is achieved by the same-security-traffic permit intra-interface and corresponding nat (outside) configuration (with IPsec-VPN-Clients, not PPTP). On the PIX with the PPTP clients, I can not get this result. Is it possible somehow? Thanks a lot for any suggestion, Grischa
```
grischast wrote:
Dear all  I have a PIX 506 running Software 6.3(5) and configured it to accept PPTP VPN connections from outside.  This works very well, PPTP users get a local IP address from the configured pool and can access inside hosts as expected.  What I want now is that PPTP users can access the internet from here just like inside hosts via dynamic NAT to the outside interface. On ASA5505 this is achieved by    same-security-traffic permit intra-interface and corresponding    nat (outside) configuration (with IPsec-VPN-Clients, not PPTP, though). On the PIX with PPTP clients I cannot achieve this result.  Is it possible somehow?  Thanks a lot for any suggestion,  Grischa
```
Grischa

Unfortunately no, it is not possible on the pix 506 v6.x running. The reason is that the feature you need is called "bundling", which is activated by using the command "permit same-security-traffic intra-interface". But it is not available on code v.6.x pix.

It is available on pix v7.x code and leave, but unfortunately the pix 506 cannot be upgraded to code v7.x. The minimum pix model that can run code v7.x is a pix 515E.

Jon

VPN site to Site between 6.3 (3) PIX and PIX 7.0 (1)

Hi all

I am configuring a VPN site-to site between my office and a new site. This is my first time doing a real VPN site to site, in the past we have always just used MS PPTP VPN.

My office firewall is a 6.3 (3) 506th PIX running, and unfortunately this can not be upgraded to 7.0.

My new site has a pair of PIX 525 in a failover configuration, running version 7.0 (1).

The only documentation that I could find on this subject is a http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml, which corresponds to an even earlier version of the software firewall (although orders seemed to be valid on the 6.3 software).

I ran through the VPN Wizard in the ASDM on the new firewall of sites, and the output produced in the firewall rules is not really what I expected. Commands like 'ISAKMP key' have been depreciated and replaced by "tunnel-group.

What I'm really after a pointer in the right direction for certain documents which covers this type of scenario, I can't be the only one trying the link between the different versions of PIX.

Hi M8,

In quick words, more of the config is always the same (sets of transform, ISAKMP policy, Crypto Maps and Crypto ACL).

The only thing that changes is the:

ISAKMP key * address x.x.x.x

and it is replaced by the tunnel-group command:

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group ipsec-attributes x.x.x.x

pre-shared-key *.

you put the IP peer under the name of tunnel and as you can see, you will write the key in ipsec-attributes sub-mode.

I see straight forward and I think that you will find it easy once you get used to the question of the tunnel-group.

Hope that helps.

Salem.

PPTP VPN pix 501 question

I'm relatively new to the security stuff. I'm a guy of the voice. I created a Pix 501 for IPSEC VPN and works very well. Then I tried it setting up PPTP VPN. I use Windows XP to connect. It connects fine, but I can't ping to the inside interface on the PIX. I can do this by using IPSEC. Any ideas? Here is my config:

:

6.3 (3) version PIX

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the password * encrypted

passwd * encrypted

host name *.

domain name *.

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list 101 permit icmp any any echo response

access-list 80 allow ip 10.0.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.5.0 255.255.255.0

access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.6.0 255.255.255.0

pager lines 24

opening of session

emergency logging console

Outside 1500 MTU

Within 1500 MTU

IP address outside of *. *. *. * 255.255.255.0

IP address inside 10.0.0.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool pool1 192.168.5.100 - 192.168.5.200

IP local pool pool2 192.168.6.100 - 192.168.6.200

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0 access-list sheep

NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

Access-group 101 in external interface

Route outside 0.0.0.0 0.0.0.0 *. *. *. * 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

the ssh LOCAL console AAA authentication

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Sysopt connection permit-pptp

Sysopt connection permit-l2tp

Crypto ipsec transform-set high - esp-3des esp-sha-hmac

Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

Crypto dynamic-map cisco 4 strong transform-set - a

Crypto-map dynamic dynmap 10 transform-set RIGHT

Cisco dynamic of the partners-card 20 crypto ipsec isakmp

partner-map interface card crypto outside

card crypto 10 PPTP ipsec-isakmp dynamic dynmap

ISAKMP allows outside

ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

ISAKMP nat-traversal 20

part of pre authentication ISAKMP policy 8

ISAKMP strategy 8 3des encryption

ISAKMP strategy 8 md5 hash

8 2 ISAKMP policy group

ISAKMP life duration strategy 8 the 86400

vpngroup address pool1 pool test

vpngroup default-field lab118 test

vpngroup split tunnel 80 test

vpngroup test 1800 idle time

Telnet timeout 5

SSH 10.0.0.0 255.0.0.0 inside

SSH 192.168.5.0 255.255.255.0 inside

SSH 192.168.6.0 255.255.255.0 inside

SSH timeout 5

management-access inside

Console timeout 0

VPDN PPTP-VPDN-group accept dialin pptp

VPDN group PPTP-VPDN-GROUP ppp authentication chap

VPDN group PPTP-VPDN-GROUP ppp mschap authentication

VPDN group PPTP-VPDN-GROUP ppp encryption mppe auto

VPDN group VPDN GROUP-PPTP client configuration address local pool2

VPDN group VPDN GROUP-PPTP client configuration dns 8.8.8.8

VPDN group VPDN GROUP-PPTP pptp echo 60

VPDN group VPDN GROUP-PPTP client for local authentication

VPDN username bmeade password *.

VPDN allow outside

You will have to connect to an internal system inside and out run the PIX using pptp.

For ssh access the PIX, you will also need additional configuration, see the section on code PIX pre 7.x, section access ssh to the security apparatus .

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#C4

Concerning

ID and PIX 515

I was told that the PIX 515E firewall is capable of BLOCKING malicious attacks as attack Dinal of Service. I learned again by CA engineers that it not are a NO product out there that is able to block attacks but rather notify the administrator only. I'd like your opinion on whether the PIX firewall can actually BLOCK attack or not. Thanks in advance.

The PIX has some features to prevent DOS attacks, but he can't block everything. For example, if someone launches an attack smurf or something that uses all of your available bandwidth, then the PIX obviously cannot do anything about it because the damage is already done at the time wherever traffic allows you the PIX.

For something like a TCP SYN attack on a host inside the PIX, then you can configure the static command to allow only a total number of connections through, and/or a number of half-open connections through the internal host, effectively protecting the Server internal. The PIX will refuse further attempts to connect over this limit.

The PIX also has a built-in limited to IDS. It can detect signatures of 59 common packages and can be configured to block these if they are considered. Signatures that he seeks only are based a package signatures, wide as a real IDS device can get nothing.

In short, no one can say yes, "The PIX prevents all attacks back", no box cannot do that, because it depends on what the attack back. If someone is flooding your available circuit bandwidth, you really get your ISP involved to block this traffic BEFORE it happens to you. Yes, host-based DOS attacks, the PIX should be able to block most of them with standard configuration controls.

Cisco ACS and Pix Firewall

I have configured the aaa authentication in the pix firewall to see the ACS RADIUS Server for verification of the user. If the ACS server becomes unavailable, then I could not connet the pix firewall.

In the router, I have the configuration option

AAA authentication login default group Ganymede + local

that tells the router first looking for a radius server and if is not available connect through the local database.

Is there an option in the Cisco pix firewall to connect using local information if ACS is not available?

Thanks in advance

Hello

PIX back up method to entered the unit in the event of server failure aaa works on 6.3.4 code and above. In the codes plus late 6.3.4 If the RADIUS server fails it is impossible to get in unless password recovery. "However if we have not configured for console aaa authentication than user name: pix and password: cisco" works by default.

Kind regards

Mahmoud Singh

L2l IPSec VPN 3000 and PIX 501

Hello

I have a remote site that has a broadband internet connection and uses a PIX 501. We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.

I followed the following documentation:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml#tshoot

However the L2L session does not appear on the hub when I check the active sessions.

The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.

Any help or advice are appreciated.

I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.

For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.

Here is an example of sample config

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

I hope this helps!

Pass the trunk between catalyst and PIX

Hello

Yesterday I had very good response on the forum how to create the VLAN on PIX, I created the subinterfaces and VLAN which their responsibilities. I configured the IP addresses as well. Did the same on the switch of Cat - created SVI and assined their IP add back. Cat shows switch port trunking is correctly but I can't ping from PIX to the switch and vice versa. Help, please.

RVR

Is it possible for you to view the configuration of the PIX? At least the configuration of the interface?

And configuration of the trunk on the switch interface?

Concerning

Farrukh

Question about 802. 1 q and PIX

I was looking at this document on PIX and 802. 1 q trunking VLAN:

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/config/bafwcfg.htm#1140519

In this example, there is a server to the VLAN1. The physical interface of the pix is put in the VLAN2 and a virtual interface is created for VLAN3. How would get the server to the VLAN1 to devices in other VLANS in this case? Am I missing something?

-TIA

Hello

I think I understand your confusion. It seems to me that there is an error in Figure 2-9. Guests above the layer of distribution switch should be in 2 VLANS and VLAN 3 rather than 1 VLANS and VLAN 2. As you know, the default VLAN on a Cisco switch is VLAN 1, and we suggest that you do not use the VLAN for anything in a production network. If you change hosts in figure 2 VLANS and VLAN 3, this example has a meaning more? In other words, watch the news and think of it as two separate interfaces. I would like to know if it is not yet clear.

Scott

PS - I'll open a bug to solve this example.

PPTP and PIX

Similar Questions

Maybe you are looking for