PPTP to NAT
I have a client wanting to allow PPTP entering the internal network of teapot. They perform NAT on a 1751 with IOS 12.2 and have a single public IP address. They use static NAT entries to allow incoming SMTP and Terminal Server services. Static NAT entries do not support the Protocol 47 (GRE) so we can not do it this way. What are the options should they do otherwise? I think they'll have to get another public IP address and translate all incoming traffic to this Ip address to the internal IP address where PPTP ends. Who will work and can they have several external users of VPN connecting to the IP address of the internal network only via NAT? Thanks in advance.
The only way to do it is to get a second IP address, then set up a static translation one for her and that all your users connect to this static IP address. Yes, multiple users can connect to this IP address, no problem.
The issue here is, as you said, you cannot map GRE through with just the one, IP addess so they need each other and map all protocols through him with just a standard static NAT translation.
Tags: Cisco Security
Similar Questions
-
several customers behind peripheral pptp firewall/nat at vpn3015
Hello
I'll try the following:
Win2K PC behind a modem to Lan 3com (making the nat) try to make a pptp connection to our vpn concentrator. A customer will always be to establish contact, but future clients will fail. The vpn concentrator has the following message is displayed:
815 10/21/2002 19:55:49.870 SEV = 4 RPT PPTP/33 = 20 x.x.x.x
Tunnel PPTP for peer x.x.x.x refused - already put in place
We also tried another site that is behind a firewall, and the same thing happens.
Such an arrangement is possible support 3015 vpn concentrator using?
Will this work if I use the client ipsec (cisco or win2k)?
Thank you
Norman
I suspect that you really have an environment PAT (Port Address Translation, or more within a single address on the outside). If this is the case, PPTP will fail because it uses GRE, which is IP (Protocol 47, I think) as well as TCP port 1723. Since GRE is not a port associated with this such as TCP or UDP, most implementations fail completely or, as in your case, allow only one simultaneous connection.
If you go to IPSec by using the Cisco Unity client, you can work around this by implementing IPSec over UDP, which will transport over UDP, thus allowing the ports to associate with different connections.
-
Need help! ASA 5505 not PPTP passthrough to the Server internal
Hello:
Recently, I add a new Cisco ASA 5505 like Firewall of the company network. I found that the PPTP authentication has not obtained through internal Microsoft Server. Any help and answer are appriciated.
Please see my setup as below. Thank you!
ASA Version 8.4 (3)
!
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.29.8.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 177.164.222.140 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS server-group DefaultDNS
domain ABCtech.com
permit same-security-traffic inter-interface
network obj_any object
172.29.8.0 subnet 255.255.255.0
service object RDP
source eq 3389 tcp service
Orange network object
Home 172.29.8.151
network of the WAN_173_164_222_138 object
Home 177.164.222.138
SMTP service object
tcp source eq smtp service
service object PPTP
tcp source eq pptp service
service of the JT_WWW object
tcp source eq www service
service of the JT_HTTPS object
tcp source eq https service
network obj_lex object
172.29.88.0 subnet 255.255.255.0
network of offices of Lexington Description
network obj_HQ object
172.29.8.0 subnet 255.255.255.0
guava network object
Home 172.29.8.3
service object L2TP
Service udp source 1701 eq
Standard access list VPN_Tunnel_User allow 172.29.8.0 255.255.255.0
Standard access list VPN_Tunnel_User allow 172.29.88.0 255.255.255.0
inside_access_in list extended access permit icmp any one
inside_access_in tcp extended access list deny any any eq 135
inside_access_in tcp extended access list refuse any eq 135 everything
inside_access_in list extended access deny udp any what eq 135 everything
inside_access_in list extended access deny udp any any eq 135
inside_access_in tcp extended access list deny any any eq 1591
inside_access_in tcp extended access list refuse any eq 1591 everything
inside_access_in list extended access deny udp any eq which 1591 everything
inside_access_in list extended access deny udp any any eq 1591
inside_access_in tcp extended access list deny any any eq 1214
inside_access_in tcp extended access list refuse any eq 1214 all
inside_access_in list extended access deny udp any any eq 1214
inside_access_in list extended access deny udp any what eq 1214 all
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access permit tcp any any eq www
inside_access_in list extended access permit tcp any eq www everything
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any host 177.164.222.138 eq 3389
outside_access_in list extended access permit tcp any host 177.164.222.138 eq smtp
outside_access_in list extended access permit tcp any host 177.164.222.138 eq pptp
outside_access_in list extended access permit tcp any host 177.164.222.138 eq www
outside_access_in list extended access permit tcp any host 177.164.222.138 eq https
outside_access_in list extended access allowed grateful if any host 177.164.222.138
outside_access_in list extended access permit udp any host 177.164.222.138 eq 1701
outside_access_in of access allowed any ip an extended list
inside_access_out list extended access permit icmp any one
inside_access_out of access allowed any ip an extended list
access extensive list ip 172.29.8.0 outside_cryptomap allow 255.255.255.0 172.29.88.0 255.255.255.0
inside_in list extended access permit icmp any one
inside_in of access allowed any ip an extended list
inside_in list extended access udp allowed any any eq isakmp
inside_in list extended access udp allowed any isakmp eq everything
inside_in list extended access udp allowed a whole
inside_in list extended access permitted tcp a whole
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
local pool ABC_HQVPN_DHCP 172.29.8.210 - 172.29.8.230 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT static orange interface (inside, outside) source RDP RDP service
NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_lex obj_
Lex-route search
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_WWW JT_WWW
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_HTTPS JT_HTTPS
NAT guava Shared source (internal, external) WAN_173_164_222_138 service RDP RDP
NAT guava Shared source (internal, external) WAN_173_164_222_138 SMTP SMTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 PPTP PPTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 service L2TP L2TP
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
Route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt guava
AAA-server host 172.29.8.3 guava (inside)
Timeout 15
guava auth - NT domain controller
identity of the user by default-domain LOCAL
Enable http server
http 172.29.8.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_vpn_set ikev1
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 173.190.123.138
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet 172.29.8.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0dhcpd auto_config off vpnclient-wins-override
!
dhcprelay Server 172.29.8.3 on the inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal ABCtech_VPN group strategy
attributes of Group Policy ABCtech_VPN
value of server DNS 172.29.8.3
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_Tunnel_User
value by default-field ABCtech.local
internal GroupPolicy_10.8.8.1 group strategy
attributes of Group Policy GroupPolicy_10.8.8.1
VPN-tunnel-Protocol ikev1, ikev2
name of user who encrypted password eicyrfJBrqOaxQvS
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 10.8.8.1
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
tunnel-group ABCtech type remote access
attributes global-tunnel-group ABCtech
address ABC_HQVPN_DHCP pool
authentication-server-group guava
Group Policy - by default-ABCtech_VPN
IPSec-attributes tunnel-group ABCtech
IKEv1 pre-shared-key *.
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 173.190.123.138
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
inspect the ftp
inspect the netbios
!
172.29.8.3 SMTP server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:6a26676668b742900360f924b4bc80de
: endHello Wayne,
The first thing I noticed
In the ACL you are pointing to the broad public while it should be to the private sector (YOU HAVE A PERMIT IP ANY ANY to the end, so it's not bad. FYI, if you decide to take this one any allowed ip address then you should point to private servers ip addresses)
Now, the policy where the PPTP inspection, etc., will be used is not applied to any service-policy so add:
global service-policy global_policy
Don't forget not just for a PPTP connection to get established we should see 2 things:
-Trading is done on the TCP 1723 port and then traded on Appreciate data packets.
Follow my blog for more information on this topic:
http://laguiadelnetworking.com/2012/12/22/what-is-new-on-the-PPTP-inspection-on-the-ASA/
Try and let me know
Julio
-
WRT160N V2 multiple PPTP connections
Hello
I have a problem, try to connect multiple computers to a PPTP VPN.
I have a WRT160N connected to the internet with the option of Automatic Configuration - DHCP
2 computers behind the router to get IP from the router via DHCP
I can connect to a computer, without any
problems.
When I try to connect with my second computer freezes just the connections.
I read it has todo with GRE packets, or almost, I'm not an expert in network so
This information is enough for me, my questions are:
1 - is it possible to use this router and have more than one connected computer
to the VPN?
2 - If not is there any other wireless router I can use to fix this?
Any help will be greatly welcomed
Thanks in advance
Tonio
It depends on. It should be possible to connect to two different PPTP servers in the internet.
It is not possible to connect two computers on the same PPTP server via a NAT router. This is simply because the router should dig a lot deeper in the GRE to distinguish traffic Grateful for two client connections between the PPTP server and the router's public IP address.
-
Problem with Port Forwarding (When PPTP is upward) in the WRT-160N
Hello world!
I'm looking for more help with Port Forwarding in my new Linksys router. I bought the daysago afew router and was pretty surprised when I discovered that there is no DD - WRT firmware is installed in it (the router was 100% NEW when I bought it). I downloaded latest firmware original and flashed Linksys file successfully.
But I still have the problem (even that I was on DD - WRT firmware too) with the port forwarding for my DC ++ and Vuze (app from torrents): I wrote port forward for ports 49151 (for Vuze) and 4000 (for DC ++) to pass on to my desktop computer (IP 192.168.1.201) - I saw a post on this forum, that there could be a problem If you transfer to an IP address, which is within the local area of DHCP, so I forwarded to IP.201 (my local DHCPzone is 192.168.1.100-. 149) But does not forwardind (())
What's wrong?
My configuration:
Router IP: 192.168.1.1
PPTP (I my ISP)
IP address: 192.168.226.127
Default gateway: 192.168.226.2
DNS 1: 192.168.1.1
2 & 3 DNS: 0.0.0.0
The IP address of the PPTP server: 192.168.226.2
User name: *.
Password: *.
_____________________
Simple Port Forwarding:
Name of the external port application port internal protocol for IP address Enabled
Vuze 49151 49151 times checked 192.168.1.201
DC 4000 4000 checked two 192.168.1.201
As you mentioned in your post that your ISP has provided you with a PPTP connection with an IP address: 192.x.x.x. The IP address that is provided by your ISP is in a private beach, and if you try to transfer all the ports on your router, it will not work, as long as your ISP modem is blocking this port. If you need get a public IP address from your ISP.
As you get Private IP of your ISP, if this connection is called as NAT behind NAT and your Modem behaves like a router.
So now you have 2 options, get the public IP address from your ISP or change the type of connection.
-
W2000 PPTP in the path through the PIX PIX
Inside of a configured simple PIX I have a w2000 customer VPN with PPTP. The client cannot talk to one another otside PIX configured with VPDN.
Everything works as expected if I put in a nat-Firewall NETGEAR801 instead of PIX siple.
See PIX config and syslog. Waths evil?
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate 2KFQnbNIdI.2KYOU encrypted password
FAXRuw8pF2Tl7oBe encrypted passwd
HMS host name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
access-list acl_outside allow icmp a whole
access-list acl_outside allow accord a
Allow Access-list acl_outside esp a whole
pager lines 24
opening of session
recording of debug console
recording of debug trap
host of logging inside the 194.132.183.10
interface ethernet0 10baset
interface ethernet1 10baset
Outside 1500 MTU
Within 1500 MTU
external IP 217.215.220.221 255.255.255.0
IP address inside 194.132.183.2 255.255.255.192
alarm action IP verification of information
alarm action attack IP audit
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group acl_outside in interface outside
Route outside 0.0.0.0 0.0.0.0 217.215.220.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
No sysopt route dnat
NSM #.
Syslog sed:
% 305011-6-PIX: built a dynamic TCP conversion of ide:194.132.183.10/1366 to outside:217.215.220.221/1124
% 302013-6-PIX: built 212 for outbound TCP connection: 194.71.189.109/1723 (194.71.189.109/1723) to inside:194.132.183.10/1366 217.215.220.221/1124)
% 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109
% 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109
% 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109
% 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109
% 302014-6-PIX: disassembly of the TCP connection 212 for side:194.71.189.109/1723 to inside:194.132.183.10/1366 duration 0:00:10 TCP fins 788 bytes
First off I would say don't not cut and paste your config PIX here, or at the x.x.x.x at least on your external IP address.
The PIX does not support PPTP thru PAT (nat/global). PPTP uses the Protocol IP 47 (GRE), and the PIX cannot PAT these cause there is no TCP/UDP port number to use.
PIX 6.3 code it will however support, but it won't be available until the beginning of next year. At the moment the only way to circumvent your situation is to define a one-to-one NAT translation for this internal host. Something like:
> static (inside, outside) 217.215.220.222 194.132.183.10 netmask 255.255.255.255 0 0
will do for you, providing you 217.215.220.222 routed and available. I would also change
> acl_outside of access list allow accord a
TO
> acl_outside gre 194.71.189.109 allowed access list host 217.215.220.222
It's a little safer.
-
Cisco RV120W PPTP astronomers source IP address
I have a VoIP application that I am trying to run over the PPTP VPN tunnel on a router RV120W.
The system is a NEC SV8100 PBX communicate with the phone software NEC (sp310). The system uses SIP to set up the call and for any other information signs. It uses RTP to transmit/receive audio stream.
The problem I have is that there is no stream audio to the phone. SIP communication and streaming audio to the phone works fine. The symptom is: telephony, the remote side cannot hear you, but you can hear them.
I did a trace of the RV120W package and found the following:
No. Time Source Dest. Protocol Info 948 9.358957
192.168.1.252
192.168.1.52
RTP PT = ITU G.711 PCMU, SSRC = 0x7F1621CA, Seq = 14361, time is 779040
949 9.359530
192.168.1.1
192.168.1.252
RTP PT = ITU G.711 PCMU, SSRC = 0xE943F2E7, Seq = 19090, time is 3940936556
RTP 192.168.1.252-ONLINE NEC PBX
192.168.1.52 => soft phone connected via PPTP
192.168.1.1-ONLINE RV120W
As you can see, the IP Source address differs from that of its origin 192.168.1.52 to 192.168.1.1. PBX NEC expects the package to come from the softphone, (192.168.1.52) not the RV120W (192.168.1.1). As a result, it ignores the RTP for telephony package and do not relay it to the remote side.
Is there a reason why the RV120W running NAT on PPTP packets? Can it be turned off somehow?
All ideas will be useful.
Thank you!
--
Joe Ripley
Choose RV220 is the option.
-
How to allow VPN PPTP by ASA access
Hi guys,.
I allow VPN clients to internal PPTP server located behind a firewall of ASA and running on a Windows 2 K 8 Server machine.
I found that the Setup is different on the version of the ASA. I'm under ASA Version 8.2 (5).
There are many rules in place and keep the. I found a lot of guides is bad because they push the drive to remove the existing rules rather than add new.
Can you please let me know how? (If possible via ADSM) and if I have to wait the questions when I decide to upgrade my ASA?
Thank you
Dario
You must configure static NAT translation because I believe that the PPTP traffic is incoming from the Internet.
You must allow PPTP traffic on the external interface: TCP/1723
You must enable PPTP inspection: inspect pptp
-
Hello
I have a Microsoft PC on the local network and want to connect via the PPTP VPN connection with another network. I know that I must leave the port TCP 1723, and ID 47 (GRE) from inside the network. Of course require NAT this PC.
But how to activate ID 47 in PIX configuration?
I thank.
cciesec list access permit tcp any any eq newspaper 1723
access-list cciesec allow accord any any newspaper
cciesec access to the interface inside group
fixup protocol pptp 1723
Easy right?
-
Outdoor access for users of PPTP on PIX
Hello everyone I have a PIX 506 6.3 (5) software running and configured to accept PPTP VPN from outside connections. It works very well, the PPTP users get a local IP address of the configured pool and can access inside the hosts as expected. What I want now, is that PPTP users can access the internet from here like inside hosts using dynamic NAT to the external interface. On ASA5505 this is achieved by the same-security-traffic permit intra-interface and corresponding nat (outside) configuration (with IPsec-VPN-Clients, not PPTP). On the PIX with the PPTP clients, I can not get this result. Is it possible somehow? Thanks a lot for any suggestion, Grischa
grischast wrote:
Dear all I have a PIX 506 running Software 6.3(5) and configured it to accept PPTP VPN connections from outside. This works very well, PPTP users get a local IP address from the configured pool and can access inside hosts as expected. What I want now is that PPTP users can access the internet from here just like inside hosts via dynamic NAT to the outside interface. On ASA5505 this is achieved by same-security-traffic permit intra-interface and corresponding nat (outside) configuration (with IPsec-VPN-Clients, not PPTP, though). On the PIX with PPTP clients I cannot achieve this result. Is it possible somehow? Thanks a lot for any suggestion, Grischa
Grischa
Unfortunately no, it is not possible on the pix 506 v6.x running. The reason is that the feature you need is called "bundling", which is activated by using the command "permit same-security-traffic intra-interface". But it is not available on code v.6.x pix.
It is available on pix v7.x code and leave, but unfortunately the pix 506 cannot be upgraded to code v7.x. The minimum pix model that can run code v7.x is a pix 515E.
Jon
-
1841 configured as pptp server, but port 1723 are filtered
IOS: c1841-advsecurityk9 - mz.124 - 15.T4.bin
Nmap reports the filtered port 1723.
ACL 101 deny port 1723. I try to delete acl 101 of FastEthernet 0/1, but the results were the same... With or without acl 101 to FastEthernet0/1, nmap reports as filtered 1723. On the lan interface FastEthernet0/0 1723 is 'visible' and I can connect to the vpn client. I suspect that this route map - can cause this, because the same Setup worked well without second cell interface we use as failover.
Interesting parts of conf:
VPDN enable
!
Vpn-dialin VPDN-group
! PPTP by default VPDN group
accept-dialin
Pptp Protocol
virtual-model 1
PPTP-Tunel local name
!
interface FastEthernet0/0
Description FW_INSIDE, ETH - LAN$ $$
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx IP address
no ip redirection
no ip unreachable
no ip proxy-arp
NBAR IP protocol discovery
penetration of the IP stream
stream IP output
IP nat inside
IP virtual-reassembly
rate-limit-access group of entry 100 16000 8000 8000 compliant action pass drop exceeds-action
automatic speed
full-duplex
No mop enabled
!
interface FastEthernet0/1
Description $FW_OUTSIDE$ $$ of ETH - WAN
IP xxx.xxx.xxx.xxx 255.255.255.248
IP access-group 101 in
Check IP unicast reverse path
no ip redirection
no ip unreachable
no ip proxy-arp
NBAR IP protocol discovery
penetration of the IP stream
stream IP output
sdm_ips_rule IP IP addresses in
NAT outside IP
IP virtual-reassembly
rate-limit-access group of entry 100 16000 8000 8000 compliant action pass drop exceeds-action
automatic duplex
automatic speed
No mop enabled
!
Cellular0/0/0 interface
WAN MTS description
the negotiated IP address
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Broadband Dialer
Dialer string xxxxx
Dialer-Group 1
interactive asynchronous mode
PPP chap hostname xxx
PPP chap password 7 xxxxxxxxxx
PPP ipcp dns request
!
interface virtual-Template1
IP unnumbered FastEthernet0/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
counterpart default address ip vpn-pool
PPP mppe auto encryption required
PPP ms-chap for authentication ms-chap-v2
!
IP nat inside source map route EN interface FastEthernet0/1 overload
overload of IP nat inside source route-map 3G interface Cellular0/0/0
Route-map allowed 3G 10
corresponds to the IP 1 103
corresponds to the Cellular0/0/0 interface
!
10 permitted EN route map
corresponds to the IP 1 103
is the interface FastEthernet0/1
Try the following
Route-map allowed 3G 10
corresponds to the IP 103
corresponds to the Cellular0/0/0 interface
!
10 permitted EN route map
corresponds to the IP 103
is the interface FastEthernet0/1
access-list 103 deny ip 192.168.10.250 all
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
access-list 103 allow ip 192.168.11.0 0.0.0.255 any
access-list 103 allow the host ip 192.168.9.4 all
access-list 103 allow the host ip 192.168.9.5 all
end
clear the ip nat tr *.
-
Hello
Im having a problem with getting PPTP access on a windows 2008 behind a cisco 877 SRI, I have forwarded port 1723 and open the firewall to allow access to this server. I also welcomed access accord, but even if I connect an external source timeout saying that the gre is not allowed.
Current configuration: 9271 bytes
!
! Last configuration change at 15:14:23 London Saturday, August 8, 2009 by sa_mprit
!
version 15.0
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
DSL-RT01 hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
recording console critical
!
No aaa new-model
!
!
!
clock timezone London 0
London summer time clock day March 30, 2003 01:00 October 26, 2003 02:00
!
Crypto pki trustpoint TP-self-signed-1816409427
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1816409427
revocation checking no
rsakeypair TP-self-signed-1816409427
!
!
TP-self-signed-1816409427 crypto pki certificate chain
certificate self-signed 01
3082024E 308201B 7 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31383136 34303934 6174652D 3237301E 170 3039 30373238 31333332
35325A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 38313634 65642D
30393432 3730819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
6933 D 627 D982F02B A85BF10E 591869 3 715278DF 1412C7A8 E42F3DE4 8100E1C7
58F2D9EB 43A32AB5 D43B48C5 4735E024 5D229CB3 36375B9A 3DC5E55D 55C69AD4
877CFEF8 C54B34AD 5D73B7CC 6D2EB63F 7BA81664 4B59D619 48CB69BD 93142805
2C4CCE00 D49E663D 54F36FA7 4D4592A8 545E592A 36D509F6 E1F8CE02 944B 3433
010001A 3 76307430 1 130101 FF040530 030101FF 30210603 0F060355 AD4B0203
551D 1104 1A 301882 525430 2 312E7061 72656E74 612E636F 2E756B30 1644534C
1 230418 30168014 462B7C7E E7EE730E 95F7CAEF CE974136 805E2F70 1F060355
301D 0603 551D0E04 16041446 2B7C7EE7 EE730E95 F7CAEFCE 5E2F7030 97413680
010104 05000381 81003CEA 10D5184C F50B35B0 19DA715D 0D 864886F7 0D06092A
22874030 27 09141D 51BA0489 3FFFBE8B 0C0EDCE6 3ABEE3CF AAF83862 C178C55B
BCF01226 5E32444C 7A21611F 08C75C70 F02E1C12 5A36EC54 C1FE5B39 F61787EF
FF1CC867 B3224BDE ECCA809F DBA889FB 3C812B28 6ABEE177 074D9ABE 03E46590
851B7A08 AC62034E 35A895C8 E3181FEB 8108
quit smoking
dot11 syslog
IP source-route
!
!
!
!
IP cef
no ip bootp Server
IP domain name parenta.co.uk
Server name xxx.xxx.xxx.xxx IPServer name xxx.xxx.xxx.xxx IP
user-Protocol IP port-map - 1 tcp 3389 port
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
username privilege 15 password 0 xxxx xxxusername privilege 15 password 0 xxxx xxx
!
!
!
type of class-card inspect entire game TSRDP
corresponds to the user-Protocol - 1
type of class-card inspect sdm-cls-sdm-pol-NATOutsideToInside-1-2 correspondence
corresponds to the TSRDP class-map
match the name of group-access TSRDP
type of class-card inspect sdm-nat-user-protocol--1-1 correspondence
game group-access 101
corresponds to the user-Protocol - 1
type of class-card inspect CRDPM match-all
corresponds to the user-Protocol - 1
type of class-card inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1 correspondence
corresponds to the CRDPM class-map
Access-group name CRDPM
type of class-card inspect all sdm-cls-insp-traffic game
match Protocol cuseeme
dns protocol game
ftp protocol game
h323 Protocol game
https protocol game
match icmp Protocol
match the imap Protocol
pop3 Protocol game
netshow Protocol game
Protocol shell game
match Protocol realmedia
match rtsp Protocol
smtp Protocol game
sql-net Protocol game
streamworks Protocol game
tftp Protocol game
vdolive Protocol game
tcp protocol match
udp Protocol game
inspect the class-map match sdm-insp-traffic type
corresponds to the class-map sdm-cls-insp-traffic
type of class-card inspect entire game SDM_GRE
match the name of group-access SDM_GRE
type of class-card inspect entire game VPN
corresponds to the SDM_GRE class-map
match Protocol pptp
type of class-card inspect correspondence sdm-nat-pptp-1
game group-access 104
corresponds to the VPN class-map
type of class-card inspect all SDM-voice-enabled game
h323 Protocol game
Skinny Protocol game
sip protocol game
type of class-card inspect all sdm-service-sdm-pol-NATOutsideToInside-1 game
match Protocol pptp
match Protocol isakmp
type of class-card inspect all match sdm-cls-icmp-access
match icmp Protocol
tcp protocol match
udp Protocol game
type of class-card inspect correspondence sdm-icmp-access
corresponds to the class-map sdm-cls-icmp-access
type of class-card inspect correspondence sdm-invalid-src
game group-access 100
type of class-card inspect correspondence sdm-Protocol-http
http protocol game
type of class-card inspect correspondence sdm-nat-https-1
game group-access 102
https protocol game
type of class-card inspect correspondence sdm-nat-ftp-1
game group-access 103
ftp protocol game
!
!
type of policy-card inspect sdm-permits-icmpreply
class type inspect sdm-icmp-access
inspect
class class by default
Pass
type of policy-card inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-ftp-1
inspect
class type inspect sdm-nat-pptp-1
inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-2
inspect
class class by default
Drop newspaper
type of policy-map inspect sdm - inspect
class type inspect sdm-invalid-src
Drop newspaper
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-Protocol-http
inspect
class type inspect SDM-voice-enabled
inspect
class class by default
Pass
type of policy-card inspect sdm-enabled
class class by default
drop
!
security of the area outside the area
safety zone-to-zone
safety zone-pair sdm-zp-self-out source destination outside zone auto
type of service-strategy inspect sdm-permits-icmpreply
sdm-zp-NATOutsideToInside-1 zone-pair security source outside the area of destination in the area
type of service-strategy inspect sdm-pol-NATOutsideToInside-1
source of sdm-zp-out-auto security area outside zone destination auto pair
type of service-strategy inspect sdm-enabled
safety zone-pair sdm-zp-in-out source in the area of destination outside the area
type of service-strategy inspect sdm - inspect
!
!
!
!
!
!
!
Null0 interface
no ip unreachable
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
No atm ilmi-keepalive
!
!
point-to-point interface ATM0.1
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface Vlan1
Description $FW_INSIDE$
IP 192.168.0.100 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
Security members in the box area
!
!
interface Dialer0
Description $FW_OUTSIDE$
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx IP address
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
outside the area of security of Member's area
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP authentication chap callin pap
PPP chap hostname xxxPPP chap password 0 PARENTA1
PPP pap sent-name of user password xxx xxx 0
!
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
IP nat pool WORKSTATION xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.248
IP nat pool PARENTANAT xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.248
WORKSTATION IP nat inside source list 1 pool overload
IP nat inside source static tcp 192.168.0.8 3389 3389 extensible xxx.xxx.xxx.xxx
IP nat inside source static tcp 192.168.0.4 3389 3389 extensible xxx.xxx.xxx.xxx
IP nat inside source static tcp 192.168.0.77 21 21 expandable xxx.xxx.xxx.xxx
IP nat inside source static tcp 192.168.0.77 expandable 443 443 xxx.xxx.xxx.xxx
IP nat inside source static tcp 192.168.0.4 1723 1723 extensible xxx.xxx.xxx.xxx
IP nat inside source static tcp 192.168.0.3 3389 3389 extensible xxx.xxx.xxx.xxx
IP route 0.0.0.0 0.0.0.0 Dialer0
!
CRDPM extended IP access list
Note = 128 SDM_ACL category
IP enable any host 192.168.0.4
SDM_GRE extended IP access list
Note the category CCP_ACL = 0
allow a gre
TSRDP extended IP access list
Note = 128 SDM_ACL category
IP enable any host 192.168.0.8
!
recording of debug trap
Note access-list 1 INSIDE_IF = Vlan1
Remark SDM_ACL category of access list 1 = 2
access-list 1 permit 192.168.0.0 0.0.0.255
Access-list 100 = 128 SDM_ACL category note
access-list 100 permit ip 255.255.255.255 host everything
access-list 100 permit ip 127.0.0.0 0.255.255.255 everything
access-list 100 permit ip 81.142.74.120 0.0.0.7 everything
access-list 100 permit any one
Remark SDM_ACL category of access list 101 = 0
IP access-list 101 permit any host 192.168.0.3
Note access-list 102 SDM_ACL category = 0
IP access-list 102 permit any host 192.168.0.77
Note access-list 103 SDM_ACL category = 0
IP access-list 103 allow any host 192.168.0.77
Note 104 CCP_ACL category = 0 access-list
IP access-list 104 allow any host 192.168.0.4
104 permit any one access-list
Dialer-list 1 ip protocol allow
not run cdp!
!
!
!
!
control plan
!
!
connection of the banner ^ CThis is a managed router if you are not the administrator of this router please close now ^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
local connection
transport input telnet ssh
!
max-task-time 5000 Planner
endAny help would be great
Thank you very much
Hi Alex,
In the configuration, I see you have inspected the GRE traffic on the network. ZBF cannot be inspected no - IP traffic must be defined 'pass' to that action while keeping the action "inspect" for pptp traffic. Once you do this, you will also need to 'pass' traffic WILL return to the area to the area.
If this still doesn't resolve your problem, turn on the audit trail using "ip inspect the audit trail" and check the logs to see what traffic ZBF drops and acts accordingly.
Tanveer Dewan
-
PIX501 VPN PPTP: I have to browse the internet side remote via my VPN server
Hello
IM using PPTP for remote access to my server VPN, its power remotely connect to LAN, but I did not have Internet access on the remote side is that I need...
IM using windows PPTP client and he has to select the "use default gateway on remote network": but still does not.
Could you help me, thanks in advance
Rolando
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
!
inside_access_in ip access list allow a whole
Note outside_access_in list of outdoor access
access-list outside_access_in allow icmp a whole
inside_outbound_nat0_acl ip access list allow any 192.168.1.200 255.255.255.248
pager lines 24
the history of logging alerts
ICMP allow all outside
Outside 1500 MTU
Within 1500 MTU
IP address outside of *. *. *. * 255.255.255.248
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP pool local remote_users 192.168.1.200 - 192.168.1.205
!
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 *. *. *. *
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
enable floodguard
Sysopt connection permit-pptp
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN PPTP-VPDN-group accept dialin pptp
VPDN group PPTP-VPDN-GROUP ppp mschap authentication
VPDN group PPTP-VPDN-GROUP ppp encryption mppe auto
VPDN group configuration client PPTP-VPDN-GROUP address local remote_users
VPDN group VPDN GROUP-PPTP client configuration dns 200.57.2.108 200.57.7.61
VPDN group VPDN GROUP-PPTP pptp echo 60
VPDN group VPDN GROUP-PPTP client for local authentication
VPDN username * password *.
VPDN allow outside
VPDN allow inside
dhcpd address 192.168.1.100 - 192.168.1.199 inside
dhcpd dns 200.57.2.108 200.57.7.61
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow insideThe PIX cannot re - route traffic to the Internet because it's a feature supported on version 7.x and higher. You cannot execute code on PIX501 7.x.
You can send all traffic through the tunnel (for the PIX) and have the PIX route this traffic to a router internal (on the head), then rewritten the PIX to the Internet.
Federico.
-
How to limit the outbound connection PPTP VPN client
We have an ASA and inspect enable pptp. However, is there a way to allow pptp connections out of our LAN 192.168.0.0 to certain specific IP on the internet like 88.88.88.88 and 89.89.89.89 through ACL? Right now, users can connect to any VPN PPTP out as they see fit.
I tried with NAT with no luck
This is the error message I got before you inspect enable them pptp.
3. July 3, 2007 13:36:33 | 305006: failure of the regular creation of translation for the internal protocol 47 CBC: 192.168.1.199 outside dst: 66.201.201.207
and this is our config (previously inspect pptp):
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
ExchangeOWA tcp service object-group
Description Exchange Web and Mobile Access
EQ smtp port object
EQ object of the https port
port-object eq www
inside_nat0_outbound list of allowed ip extended access any 192.168.100.0 255.255.255.192
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.222.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.111.0 255.255.255.0
access-list extended dzm ip allowed any one
access-list extended dzm permit icmp any one
list of external extended ip access allowed a whole
cont_in list extended access permit ip host 66.66.66.135 all
access list outside extended permit tcp any host 66.66.66.133 object - group ExchangeOWA
list of extended outside access permit tcp any host 66.66.66.137 eq pptp
outside allowed extended access will list any host 66.66.66.137
access list outside extended permit icmp any any echo response
permit outside_cryptomap_20 to access extended list ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0
Split_tunnel_ACL list standard access allowed 192.168.0.0 255.255.0.0
outside_cryptomap_80 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.111.0 255.255.255.0
outside_cryptomap_60 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.222.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
mask of 192.168.100.1 - local 192.168.100.50 BBBB-pool IP 255.255.255.0
ICMP allow all outside
ICMP allow any inside
ASDM image disk0: / asdm512 - k8.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global interface 10 (external)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 10 0.0.0.0 0.0.0.0
static (inside, outside) 66.66.66.133 tcp smtp 192.168.1.16 smtp netmask 255.255.255.255
static (inside, outside) tcp 66.66.66.133 www 192.168.1.16 www netmask 255.255.255.255
static (inside, outside) 66.66.66.133 tcp https 192.168.1.16 https netmask 255.255.255.255
public static 66.66.66.134 (Interior, exterior) 172.30.1.50 netmask 255.255.255.255
public static 66.66.66.137 (Interior, exterior) 192.168.1.10 netmask 255.255.255.255
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 66.66.66.129 1
Route inside 192.168.1.0 255.255.255.0 192.168.10.2 1
Route inside 172.30.1.0 255.255.255.0 192.168.10.2 1
Route inside 172.20.20.0 255.255.255.0 192.168.10.2 1
Route inside 192.168.101.0 255.255.255.0 192.168.10.2 1
Route inside 192.168.102.0 255.255.255.0 192.168.10.2 1
Route inside 192.168.103.0 255.255.255.0 192.168.10.2 1
Route inside 192.168.106.0 255.255.255.0 192.168.10.2 1
Route inside 192.168.6.0 255.255.255.0 192.168.10.2 1
Route inside 192.168.3.0 255.255.255.0 192.168.10.2 1
Route inside 192.168.2.0 255.255.255.0 192.168.10.2 1
Timeout xlate 03:00
If you added the acl exactly as it appears above, it would not need to specifically allow http and https as the 2nd to last line is to allow an entire ip.
-
6.2 (2) PIX; PPPoE and PPTP
I am running a PIX501 and PPPoE; Having problems connecting to the PPTP Corp server. If I replace the PIX with a Linksys NAT box everything works fine. I'm not having other problems of connectivity with PIX.
puzzled
The PIX does not support PPTP connections thru PAT until the next version of the code, v6.3, to be released in late March, if all goes well.
Maybe you are looking for
-
Apple Watch series 2 GPS 'routing my race. "
With the new GPS feature on 2 series watch and in order to have the 'road' to appear under the summary of your workout in the application of the activity, you need to carry your iPhone with you on your shopping, walks, hikes, etc.? Series, that I hav
-
I just applied the update to the latest firmware 4.1.208.33789 for my IX2 - DL and it took an extremely long time to reboot - flashing white light for 20 min on the right. Shooting and by unplugging power did the same result. I hold the reset button
-
Aspire x 1470 network card issues
I just service of optical fiber internet for my x 1470. Cable TV and wifi both work wonderfully, but the office refuses to acknowledge there is an ethernet cable plugged into the correct port. Checked with a cord that I know to work and nothing. Down
-
I intend to sell my Mini Inspiron. I would go back to its original configuration (out of box) and eliminate everything I entered into it. How to do? Thank you!
-
Hello I installed my SX-10 but there is a message at the top on the right that it is "not registered". Does that mean and what should I do? Thank you!