PPTP to NAT

Similar Questions

• several customers behind peripheral pptp firewall/nat at vpn3015

  Hello

  I'll try the following:

  Win2K PC behind a modem to Lan 3com (making the nat) try to make a pptp connection to our vpn concentrator. A customer will always be to establish contact, but future clients will fail. The vpn concentrator has the following message is displayed:

  815 10/21/2002 19:55:49.870 SEV = 4 RPT PPTP/33 = 20 x.x.x.x

  Tunnel PPTP for peer x.x.x.x refused - already put in place

  We also tried another site that is behind a firewall, and the same thing happens.

  Such an arrangement is possible support 3015 vpn concentrator using?

  Will this work if I use the client ipsec (cisco or win2k)?

  Thank you

  Norman

  I suspect that you really have an environment PAT (Port Address Translation, or more within a single address on the outside). If this is the case, PPTP will fail because it uses GRE, which is IP (Protocol 47, I think) as well as TCP port 1723. Since GRE is not a port associated with this such as TCP or UDP, most implementations fail completely or, as in your case, allow only one simultaneous connection.

  If you go to IPSec by using the Cisco Unity client, you can work around this by implementing IPSec over UDP, which will transport over UDP, thus allowing the ports to associate with different connections.

• Need help! ASA 5505 not PPTP passthrough to the Server internal

  Hello:

  Recently, I add a new Cisco ASA 5505 like Firewall of the company network. I found that the PPTP authentication has not obtained through internal Microsoft Server. Any help and answer are appriciated.

  Please see my setup as below. Thank you!

  ASA Version 8.4 (3)
  !
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  switchport access vlan 2
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 172.29.8.254 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 177.164.222.140 255.255.255.248
  !
  passive FTP mode
  clock timezone GMT 0
  DNS server-group DefaultDNS
  domain ABCtech.com
  permit same-security-traffic inter-interface
  network obj_any object
  172.29.8.0 subnet 255.255.255.0
  service object RDP
  source eq 3389 tcp service
  Orange network object
  Home 172.29.8.151
  network of the WAN_173_164_222_138 object
  Home 177.164.222.138
  SMTP service object
  tcp source eq smtp service
  service object PPTP
  tcp source eq pptp service
  service of the JT_WWW object
  tcp source eq www service
  service of the JT_HTTPS object
  tcp source eq https service
  network obj_lex object
  172.29.88.0 subnet 255.255.255.0
  network of offices of Lexington Description
  network obj_HQ object
  172.29.8.0 subnet 255.255.255.0
  guava network object
  Home 172.29.8.3
  service object L2TP
  Service udp source 1701 eq
  Standard access list VPN_Tunnel_User allow 172.29.8.0 255.255.255.0
  Standard access list VPN_Tunnel_User allow 172.29.88.0 255.255.255.0
  inside_access_in list extended access permit icmp any one
  inside_access_in tcp extended access list deny any any eq 135
  inside_access_in tcp extended access list refuse any eq 135 everything
  inside_access_in list extended access deny udp any what eq 135 everything
  inside_access_in list extended access deny udp any any eq 135
  inside_access_in tcp extended access list deny any any eq 1591
  inside_access_in tcp extended access list refuse any eq 1591 everything
  inside_access_in list extended access deny udp any eq which 1591 everything
  inside_access_in list extended access deny udp any any eq 1591
  inside_access_in tcp extended access list deny any any eq 1214
  inside_access_in tcp extended access list refuse any eq 1214 all
  inside_access_in list extended access deny udp any any eq 1214
  inside_access_in list extended access deny udp any what eq 1214 all
  inside_access_in of access allowed any ip an extended list
  inside_access_in list extended access permit tcp any any eq www
  inside_access_in list extended access permit tcp any eq www everything
  outside_access_in list extended access permit icmp any one
  outside_access_in list extended access permit tcp any host 177.164.222.138 eq 3389
  outside_access_in list extended access permit tcp any host 177.164.222.138 eq smtp
  outside_access_in list extended access permit tcp any host 177.164.222.138 eq pptp
  outside_access_in list extended access permit tcp any host 177.164.222.138 eq www
  outside_access_in list extended access permit tcp any host 177.164.222.138 eq https
  outside_access_in list extended access allowed grateful if any host 177.164.222.138
  outside_access_in list extended access permit udp any host 177.164.222.138 eq 1701
  outside_access_in of access allowed any ip an extended list
  inside_access_out list extended access permit icmp any one
  inside_access_out of access allowed any ip an extended list
  access extensive list ip 172.29.8.0 outside_cryptomap allow 255.255.255.0 172.29.88.0 255.255.255.0
  inside_in list extended access permit icmp any one
  inside_in of access allowed any ip an extended list
  inside_in list extended access udp allowed any any eq isakmp
  inside_in list extended access udp allowed any isakmp eq everything
  inside_in list extended access udp allowed a whole
  inside_in list extended access permitted tcp a whole
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  local pool ABC_HQVPN_DHCP 172.29.8.210 - 172.29.8.230 255.255.255.0 IP mask
  ICMP unreachable rate-limit 1 burst-size 1
  enable ASDM history
  ARP timeout 14400
  NAT static orange interface (inside, outside) source RDP RDP service
  NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_lex obj_
  Lex-route search
  NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_WWW JT_WWW
  NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_HTTPS JT_HTTPS
  NAT guava Shared source (internal, external) WAN_173_164_222_138 service RDP RDP
  NAT guava Shared source (internal, external) WAN_173_164_222_138 SMTP SMTP service
  NAT guava Shared source (internal, external) WAN_173_164_222_138 PPTP PPTP service
  NAT guava Shared source (internal, external) WAN_173_164_222_138 service L2TP L2TP
  !
  network obj_any object
  NAT dynamic interface (indoor, outdoor)
  inside_in access to the interface inside group
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
  Route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  AAA-server protocol nt guava
  AAA-server host 172.29.8.3 guava (inside)
  Timeout 15
  guava auth - NT domain controller
  identity of the user by default-domain LOCAL
  Enable http server
  http 172.29.8.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1
  Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_vpn_set ikev1
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map
  Crypto-map dynamic outside_dyn_map 20 the value reverse-road
  card crypto outside_map 1 match address outside_cryptomap
  peer set card crypto outside_map 1 173.190.123.138
  card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
  ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
  P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
  outside_map interface card crypto outside
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev2 allow outside
  Crypto ikev1 allow outside
  IKEv1 crypto policy 1
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 43200
  IKEv1 crypto policy 10
  authentication crack
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 20
  authentication rsa - sig
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 40
  authentication crack
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 50
  authentication rsa - sig
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 60
  preshared authentication
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 70
  authentication crack
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 80
  authentication rsa - sig
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 90
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 100
  authentication crack
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 110
  authentication rsa - sig
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 130
  authentication crack
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 140
  authentication rsa - sig
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 150
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  Telnet 192.168.1.0 255.255.255.0 inside
  Telnet 172.29.8.0 255.255.255.0 inside
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0

  dhcpd auto_config off vpnclient-wins-override
  !
  dhcprelay Server 172.29.8.3 on the inside
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  allow outside
  internal ABCtech_VPN group strategy
  attributes of Group Policy ABCtech_VPN
  value of server DNS 172.29.8.3
  Ikev1 VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list VPN_Tunnel_User
  value by default-field ABCtech.local
  internal GroupPolicy_10.8.8.1 group strategy
  attributes of Group Policy GroupPolicy_10.8.8.1
  VPN-tunnel-Protocol ikev1, ikev2
  name of user who encrypted password eicyrfJBrqOaxQvS
  tunnel-group 10.8.8.1 type ipsec-l2l
  tunnel-group 10.8.8.1 General-attributes
  Group - default policy - GroupPolicy_10.8.8.1
  IPSec-attributes tunnel-group 10.8.8.1
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  remotely IKEv2 authentication certificate
  pre-shared-key authentication local IKEv2 *.
  tunnel-group ABCtech type remote access
  attributes global-tunnel-group ABCtech
  address ABC_HQVPN_DHCP pool
  authentication-server-group guava
  Group Policy - by default-ABCtech_VPN
  IPSec-attributes tunnel-group ABCtech
  IKEv1 pre-shared-key *.
  tunnel-group 173.190.123.138 type ipsec-l2l
  tunnel-group 173.190.123.138 General-attributes
  Group - default policy - GroupPolicy_10.8.8.1
  IPSec-attributes tunnel-group 173.190.123.138
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  remotely IKEv2 authentication certificate
  pre-shared-key authentication local IKEv2 *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  Policy-map global_policy
  class inspection_default
  inspect the pptp
  inspect the ftp
  inspect the netbios
  !
  172.29.8.3 SMTP server
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:6a26676668b742900360f924b4bc80de
  : end

  Hello Wayne,

  The first thing I noticed

  In the ACL you are pointing to the broad public while it should be to the private sector (YOU HAVE A PERMIT IP ANY ANY to the end, so it's not bad. FYI, if you decide to take this one any allowed ip address then you should point to private servers ip addresses)

  Now, the policy where the PPTP inspection, etc., will be used is not applied to any service-policy so add:

  global service-policy global_policy

  Don't forget not just for a PPTP connection to get established we should see 2 things:

  -Trading is done on the TCP 1723 port and then traded on Appreciate data packets.

  Follow my blog for more information on this topic:

  http://laguiadelnetworking.com/2012/12/22/what-is-new-on-the-PPTP-inspection-on-the-ASA/

  Try and let me know

  Julio

• WRT160N V2 multiple PPTP connections

  Hello

  I have a problem, try to connect multiple computers to a PPTP VPN.

  I have a WRT160N connected to the internet with the option of Automatic Configuration - DHCP

  2 computers behind the router to get IP from the router via DHCP

  I can connect to a computer, without any

  problems.

  When I try to connect with my second computer freezes just the connections.

  I read it has todo with GRE packets, or almost, I'm not an expert in network so

  This information is enough for me, my questions are:

  1 - is it possible to use this router and have more than one connected computer

  to the VPN?

  2 - If not is there any other wireless router I can use to fix this?

  Any help will be greatly welcomed

  Thanks in advance

  Tonio

  It depends on. It should be possible to connect to two different PPTP servers in the internet.

  It is not possible to connect two computers on the same PPTP server via a NAT router. This is simply because the router should dig a lot deeper in the GRE to distinguish traffic Grateful for two client connections between the PPTP server and the router's public IP address.

• Problem with Port Forwarding (When PPTP is upward) in the WRT-160N

  Hello world!

  I'm looking for more help with Port Forwarding in my new Linksys router. I bought the daysago afew router and was pretty surprised when I discovered that there is no DD - WRT firmware is installed in it (the router was 100% NEW when I bought it). I downloaded latest firmware original and flashed Linksys file successfully.

  But I still have the problem (even that I was on DD - WRT firmware too) with the port forwarding for my DC ++ and Vuze (app from torrents): I wrote port forward for ports 49151 (for Vuze) and 4000 (for DC ++) to pass on to my desktop computer (IP 192.168.1.201) - I saw a post on this forum, that there could be a problem If you transfer to an IP address, which is within the local area of DHCP, so I forwarded to IP.201 (my local DHCPzone is 192.168.1.100-. 149) But does not forwardind (())

  What's wrong?

  My configuration:

  Router IP: 192.168.1.1

  PPTP (I my ISP)

  IP address: 192.168.226.127

  Default gateway: 192.168.226.2

  DNS 1: 192.168.1.1

  2 & 3 DNS: 0.0.0.0

  The IP address of the PPTP server: 192.168.226.2

  User name: *.

  Password: *.

  _____________________

  Simple Port Forwarding:

  Name of the external port application port internal protocol for IP address Enabled

  Vuze 49151 49151 times checked 192.168.1.201

  DC 4000 4000 checked two 192.168.1.201

  As you mentioned in your post that your ISP has provided you with a PPTP connection with an IP address: 192.x.x.x. The IP address that is provided by your ISP is in a private beach, and if you try to transfer all the ports on your router, it will not work, as long as your ISP modem is blocking this port. If you need get a public IP address from your ISP.

  As you get Private IP of your ISP, if this connection is called as NAT behind NAT and your Modem behaves like a router.

  So now you have 2 options, get the public IP address from your ISP or change the type of connection.

• W2000 PPTP in the path through the PIX PIX

  Inside of a configured simple PIX I have a w2000 customer VPN with PPTP. The client cannot talk to one another otside PIX configured with VPDN.

  Everything works as expected if I put in a nat-Firewall NETGEAR801 instead of PIX siple.

  See PIX config and syslog. Waths evil?

  6.2 (2) version PIX

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate 2KFQnbNIdI.2KYOU encrypted password

  FAXRuw8pF2Tl7oBe encrypted passwd

  HMS host name

  fixup protocol ftp 21

  fixup protocol http 80

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol sip 5060

  fixup protocol 2000 skinny

  names of

  access-list acl_outside allow icmp a whole

  access-list acl_outside allow accord a

  Allow Access-list acl_outside esp a whole

  pager lines 24

  opening of session

  recording of debug console

  recording of debug trap

  host of logging inside the 194.132.183.10

  interface ethernet0 10baset

  interface ethernet1 10baset

  Outside 1500 MTU

  Within 1500 MTU

  external IP 217.215.220.221 255.255.255.0

  IP address inside 194.132.183.2 255.255.255.192

  alarm action IP verification of information

  alarm action attack IP audit

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Access-group acl_outside in interface outside

  Route outside 0.0.0.0 0.0.0.0 217.215.220.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  No sysopt route dnat

  NSM #.

  Syslog sed:

  % 305011-6-PIX: built a dynamic TCP conversion of ide:194.132.183.10/1366 to outside:217.215.220.221/1124

  % 302013-6-PIX: built 212 for outbound TCP connection: 194.71.189.109/1723 (194.71.189.109/1723) to inside:194.132.183.10/1366 217.215.220.221/1124)

  % 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109

  % 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109

  % 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109

  % 3 PIX-305006: failure of the regular creation of translation for the internal protocol 47 src: 194.132.183.10 outside dst: 194.71.189.109

  % 302014-6-PIX: disassembly of the TCP connection 212 for side:194.71.189.109/1723 to inside:194.132.183.10/1366 duration 0:00:10 TCP fins 788 bytes

  First off I would say don't not cut and paste your config PIX here, or at the x.x.x.x at least on your external IP address.

  The PIX does not support PPTP thru PAT (nat/global). PPTP uses the Protocol IP 47 (GRE), and the PIX cannot PAT these cause there is no TCP/UDP port number to use.

  PIX 6.3 code it will however support, but it won't be available until the beginning of next year. At the moment the only way to circumvent your situation is to define a one-to-one NAT translation for this internal host. Something like:

  > static (inside, outside) 217.215.220.222 194.132.183.10 netmask 255.255.255.255 0 0

  will do for you, providing you 217.215.220.222 routed and available. I would also change

  > acl_outside of access list allow accord a

  TO

  > acl_outside gre 194.71.189.109 allowed access list host 217.215.220.222

  It's a little safer.

• Cisco RV120W PPTP astronomers source IP address

  I have a VoIP application that I am trying to run over the PPTP VPN tunnel on a router RV120W.

  The system is a NEC SV8100 PBX communicate with the phone software NEC (sp310).  The system uses SIP to set up the call and for any other information signs.  It uses RTP to transmit/receive audio stream.

  The problem I have is that there is no stream audio to the phone.  SIP communication and streaming audio to the phone works fine.  The symptom is: telephony, the remote side cannot hear you, but you can hear them.

  I did a trace of the RV120W package and found the following:

  No.	Time	Source	Dest.	Protocol	Info
  948	9.358957	192.168.1.252	192.168.1.52	RTP	PT = ITU G.711 PCMU, SSRC = 0x7F1621CA, Seq = 14361, time is 779040
  949	9.359530	192.168.1.1	192.168.1.252	RTP	PT = ITU G.711 PCMU, SSRC = 0xE943F2E7, Seq = 19090, time is 3940936556
  				RTP

  192.168.1.252-ONLINE NEC PBX

  192.168.1.52 => soft phone connected via PPTP

  192.168.1.1-ONLINE RV120W

  As you can see, the IP Source address differs from that of its origin 192.168.1.52 to 192.168.1.1.  PBX NEC expects the package to come from the softphone, (192.168.1.52) not the RV120W (192.168.1.1).  As a result, it ignores the RTP for telephony package and do not relay it to the remote side.

  Is there a reason why the RV120W running NAT on PPTP packets?  Can it be turned off somehow?

  All ideas will be useful.

  Thank you!

  --

  Joe Ripley

  Choose RV220 is the option.

• How to allow VPN PPTP by ASA access

  Hi guys,.

  I allow VPN clients to internal PPTP server located behind a firewall of ASA and running on a Windows 2 K 8 Server machine.

  I found that the Setup is different on the version of the ASA. I'm under ASA Version 8.2 (5).

  There are many rules in place and keep the. I found a lot of guides is bad because they push the drive to remove the existing rules rather than add new.

  Can you please let me know how? (If possible via ADSM) and if I have to wait the questions when I decide to upgrade my ASA?

  Thank you

  Dario

  You must configure static NAT translation because I believe that the PPTP traffic is incoming from the Internet.

  You must allow PPTP traffic on the external interface: TCP/1723

  You must enable PPTP inspection: inspect pptp

• PPTP and PIX

  Hello

  I have a Microsoft PC on the local network and want to connect via the PPTP VPN connection with another network. I know that I must leave the port TCP 1723, and ID 47 (GRE) from inside the network. Of course require NAT this PC.

  But how to activate ID 47 in PIX configuration?

  I thank.

  cciesec list access permit tcp any any eq newspaper 1723

  access-list cciesec allow accord any any newspaper

  cciesec access to the interface inside group

  fixup protocol pptp 1723

  Easy right?

• Outdoor access for users of PPTP on PIX

  Hello everyone I have a PIX 506 6.3 (5) software running and configured to accept PPTP VPN from outside connections.  It works very well, the PPTP users get a local IP address of the configured pool and can access inside the hosts as expected.  What I want now, is that PPTP users can access the internet from here like inside hosts using dynamic NAT to the external interface. On ASA5505 this is achieved by the same-security-traffic permit intra-interface and corresponding nat (outside) configuration (with IPsec-VPN-Clients, not PPTP). On the PIX with the PPTP clients, I can not get this result.  Is it possible somehow?  Thanks a lot for any suggestion, Grischa

  grischast wrote:
  Dear all  I have a PIX 506 running Software 6.3(5) and configured it to accept PPTP VPN connections from outside.  This works very well, PPTP users get a local IP address from the configured pool and can access inside hosts as expected.  What I want now is that PPTP users can access the internet from here just like inside hosts via dynamic NAT to the outside interface. On ASA5505 this is achieved by    same-security-traffic permit intra-interface and corresponding    nat (outside) configuration (with IPsec-VPN-Clients, not PPTP, though). On the PIX with PPTP clients I cannot achieve this result.  Is it possible somehow?  Thanks a lot for any suggestion,  Grischa
  

  Grischa

  Unfortunately no, it is not possible on the pix 506 v6.x running. The reason is that the feature you need is called "bundling", which is activated by using the command "permit same-security-traffic intra-interface". But it is not available on code v.6.x pix.

  It is available on pix v7.x code and leave, but unfortunately the pix 506 cannot be upgraded to code v7.x. The minimum pix model that can run code v7.x is a pix 515E.

  Jon

• 1841 configured as pptp server, but port 1723 are filtered

  IOS: c1841-advsecurityk9 - mz.124 - 15.T4.bin

  Nmap reports the filtered port 1723.

  ACL 101 deny port 1723. I try to delete acl 101 of FastEthernet 0/1, but the results were the same... With or without acl 101 to FastEthernet0/1, nmap reports as filtered 1723. On the lan interface FastEthernet0/0 1723 is 'visible' and I can connect to the vpn client. I suspect that this route map - can cause this, because the same Setup worked well without second cell interface we use as failover.

  Interesting parts of conf:

  VPDN enable

  !

  Vpn-dialin VPDN-group

  ! PPTP by default VPDN group

  accept-dialin

  Pptp Protocol

  virtual-model 1

  PPTP-Tunel local name

  !

  interface FastEthernet0/0

  Description FW_INSIDE, ETH - LAN$ $$

  xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx IP address

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NBAR IP protocol discovery

  penetration of the IP stream

  stream IP output

  IP nat inside

  IP virtual-reassembly

  rate-limit-access group of entry 100 16000 8000 8000 compliant action pass drop exceeds-action

  automatic speed

  full-duplex

  No mop enabled

  !

  interface FastEthernet0/1

  Description $FW_OUTSIDE$ $$ of ETH - WAN

  IP xxx.xxx.xxx.xxx 255.255.255.248

  IP access-group 101 in

  Check IP unicast reverse path

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NBAR IP protocol discovery

  penetration of the IP stream

  stream IP output

  sdm_ips_rule IP IP addresses in

  NAT outside IP

  IP virtual-reassembly

  rate-limit-access group of entry 100 16000 8000 8000 compliant action pass drop exceeds-action

  automatic duplex

  automatic speed

  No mop enabled

  !

  Cellular0/0/0 interface

  WAN MTS description

  the negotiated IP address

  NAT outside IP

  IP virtual-reassembly

  encapsulation ppp

  Broadband Dialer

  Dialer string xxxxx

  Dialer-Group 1

  interactive asynchronous mode

  PPP chap hostname xxx

  PPP chap password 7 xxxxxxxxxx

  PPP ipcp dns request

  !

  interface virtual-Template1

  IP unnumbered FastEthernet0/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  IP virtual-reassembly

  counterpart default address ip vpn-pool

  PPP mppe auto encryption required

  PPP ms-chap for authentication ms-chap-v2

  !

  IP nat inside source map route EN interface FastEthernet0/1 overload

  overload of IP nat inside source route-map 3G interface Cellular0/0/0

  Route-map allowed 3G 10

  corresponds to the IP 1 103

  corresponds to the Cellular0/0/0 interface

  !

  10 permitted EN route map

  corresponds to the IP 1 103

  is the interface FastEthernet0/1

  Try the following

  Route-map allowed 3G 10

  corresponds to the IP 103

  corresponds to the Cellular0/0/0 interface

  !

  10 permitted EN route map

  corresponds to the IP 103

  is the interface FastEthernet0/1

  access-list 103 deny ip 192.168.10.250 all

  access-list 103 permit ip 192.168.10.0 0.0.0.255 any

  access-list 103 allow ip 192.168.11.0 0.0.0.255 any

  access-list 103 allow the host ip 192.168.9.4 all

  access-list 103 allow the host ip 192.168.9.5 all

  end

  clear the ip nat tr *.

• Cannot get the PPTP server

  Hello

  Im having a problem with getting PPTP access on a windows 2008 behind a cisco 877 SRI, I have forwarded port 1723 and open the firewall to allow access to this server. I also welcomed access accord, but even if I connect an external source timeout saying that the gre is not allowed.

  Current configuration: 9271 bytes
  !
  ! Last configuration change at 15:14:23 London Saturday, August 8, 2009 by sa_mprit
  !
  version 15.0
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  DSL-RT01 hostname
  !
  boot-start-marker
  boot-end-marker
  !
  logging buffered 51200
  recording console critical
  !
  No aaa new-model
  !
  !
  !
  clock timezone London 0
  London summer time clock day March 30, 2003 01:00 October 26, 2003 02:00
  !
  Crypto pki trustpoint TP-self-signed-1816409427
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 1816409427
  revocation checking no
  rsakeypair TP-self-signed-1816409427
  !
  !
  TP-self-signed-1816409427 crypto pki certificate chain
  certificate self-signed 01
  3082024E 308201B 7 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 31383136 34303934 6174652D 3237301E 170 3039 30373238 31333332
  35325A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 38313634 65642D
  30393432 3730819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  6933 D 627 D982F02B A85BF10E 591869 3 715278DF 1412C7A8 E42F3DE4 8100E1C7
  58F2D9EB 43A32AB5 D43B48C5 4735E024 5D229CB3 36375B9A 3DC5E55D 55C69AD4
  877CFEF8 C54B34AD 5D73B7CC 6D2EB63F 7BA81664 4B59D619 48CB69BD 93142805
  2C4CCE00 D49E663D 54F36FA7 4D4592A8 545E592A 36D509F6 E1F8CE02 944B 3433
  010001A 3 76307430 1 130101 FF040530 030101FF 30210603 0F060355 AD4B0203
  551D 1104 1A 301882 525430 2 312E7061 72656E74 612E636F 2E756B30 1644534C
  1 230418 30168014 462B7C7E E7EE730E 95F7CAEF CE974136 805E2F70 1F060355
  301D 0603 551D0E04 16041446 2B7C7EE7 EE730E95 F7CAEFCE 5E2F7030 97413680
  010104 05000381 81003CEA 10D5184C F50B35B0 19DA715D 0D 864886F7 0D06092A
  22874030 27 09141D 51BA0489 3FFFBE8B 0C0EDCE6 3ABEE3CF AAF83862 C178C55B
  BCF01226 5E32444C 7A21611F 08C75C70 F02E1C12 5A36EC54 C1FE5B39 F61787EF
  FF1CC867 B3224BDE ECCA809F DBA889FB 3C812B28 6ABEE177 074D9ABE 03E46590
  851B7A08 AC62034E 35A895C8 E3181FEB 8108
  quit smoking
  dot11 syslog
  IP source-route
  !
  !
  !
  !
  IP cef
  no ip bootp Server
  IP domain name parenta.co.uk
  Server name xxx.xxx.xxx.xxx IP

  Server name xxx.xxx.xxx.xxx IP

  user-Protocol IP port-map - 1 tcp 3389 port
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  username privilege 15 password 0 xxxx xxx

  username privilege 15 password 0 xxxx xxx
  !
  !
  !
  type of class-card inspect entire game TSRDP
  corresponds to the user-Protocol - 1
  type of class-card inspect sdm-cls-sdm-pol-NATOutsideToInside-1-2 correspondence
  corresponds to the TSRDP class-map
  match the name of group-access TSRDP
  type of class-card inspect sdm-nat-user-protocol--1-1 correspondence
  game group-access 101
  corresponds to the user-Protocol - 1
  type of class-card inspect CRDPM match-all
  corresponds to the user-Protocol - 1
  type of class-card inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1 correspondence
  corresponds to the CRDPM class-map
  Access-group name CRDPM
  type of class-card inspect all sdm-cls-insp-traffic game
  match Protocol cuseeme
  dns protocol game
  ftp protocol game
  h323 Protocol game
  https protocol game
  match icmp Protocol
  match the imap Protocol
  pop3 Protocol game
  netshow Protocol game
  Protocol shell game
  match Protocol realmedia
  match rtsp Protocol
  smtp Protocol game
  sql-net Protocol game
  streamworks Protocol game
  tftp Protocol game
  vdolive Protocol game
  tcp protocol match
  udp Protocol game
  inspect the class-map match sdm-insp-traffic type
  corresponds to the class-map sdm-cls-insp-traffic
  type of class-card inspect entire game SDM_GRE
  match the name of group-access SDM_GRE
  type of class-card inspect entire game VPN
  corresponds to the SDM_GRE class-map
  match Protocol pptp
  type of class-card inspect correspondence sdm-nat-pptp-1
  game group-access 104
  corresponds to the VPN class-map
  type of class-card inspect all SDM-voice-enabled game
  h323 Protocol game
  Skinny Protocol game
  sip protocol game
  type of class-card inspect all sdm-service-sdm-pol-NATOutsideToInside-1 game
  match Protocol pptp
  match Protocol isakmp
  type of class-card inspect all match sdm-cls-icmp-access
  match icmp Protocol
  tcp protocol match
  udp Protocol game
  type of class-card inspect correspondence sdm-icmp-access
  corresponds to the class-map sdm-cls-icmp-access
  type of class-card inspect correspondence sdm-invalid-src
  game group-access 100
  type of class-card inspect correspondence sdm-Protocol-http
  http protocol game
  type of class-card inspect correspondence sdm-nat-https-1
  game group-access 102
  https protocol game
  type of class-card inspect correspondence sdm-nat-ftp-1
  game group-access 103
  ftp protocol game
  !
  !
  type of policy-card inspect sdm-permits-icmpreply
  class type inspect sdm-icmp-access
  inspect
  class class by default
  Pass
  type of policy-card inspect sdm-pol-NATOutsideToInside-1
  class type inspect sdm-nat-user-protocol--1-1
  inspect
  class type inspect sdm-nat-https-1
  inspect
  class type inspect sdm-nat-ftp-1
  inspect
  class type inspect sdm-nat-pptp-1
  inspect
  class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
  inspect
  class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-2
  inspect
  class class by default
  Drop newspaper
  type of policy-map inspect sdm - inspect
  class type inspect sdm-invalid-src
  Drop newspaper
  class type inspect sdm-insp-traffic
  inspect
  class type inspect sdm-Protocol-http
  inspect
  class type inspect SDM-voice-enabled
  inspect
  class class by default
  Pass
  type of policy-card inspect sdm-enabled
  class class by default
  drop
  !
  security of the area outside the area
  safety zone-to-zone
  safety zone-pair sdm-zp-self-out source destination outside zone auto
  type of service-strategy inspect sdm-permits-icmpreply
  sdm-zp-NATOutsideToInside-1 zone-pair security source outside the area of destination in the area
  type of service-strategy inspect sdm-pol-NATOutsideToInside-1
  source of sdm-zp-out-auto security area outside zone destination auto pair
  type of service-strategy inspect sdm-enabled
  safety zone-pair sdm-zp-in-out source in the area of destination outside the area
  type of service-strategy inspect sdm - inspect
  !
  !
  !
  !
  !
  !
  !
  Null0 interface
  no ip unreachable
  !
  ATM0 interface
  no ip address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  No atm ilmi-keepalive
  !
  !
  point-to-point interface ATM0.1
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  PVC 0/38
  aal5mux encapsulation ppp Dialer
  Dialer pool-member 1
  !
  !
  interface FastEthernet0
  !
  !
  interface FastEthernet1
  !
  !
  interface FastEthernet2
  !
  !
  interface FastEthernet3
  !
  !
  interface Vlan1
  Description $FW_INSIDE$
  IP 192.168.0.100 255.255.255.0
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  IP nat inside
  IP virtual-reassembly
  Security members in the box area
  !
  !
  interface Dialer0
  Description $FW_OUTSIDE$
  xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx IP address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  NAT outside IP
  IP virtual-reassembly
  outside the area of security of Member's area
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 1
  PPP authentication chap callin pap
  PPP chap hostname xxx

  PPP chap password 0 PARENTA1
  PPP pap sent-name of user password xxx xxx 0
  !
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  IP nat pool WORKSTATION xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.248
  IP nat pool PARENTANAT xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.248
  WORKSTATION IP nat inside source list 1 pool overload
  IP nat inside source static tcp 192.168.0.8 3389 3389 extensible xxx.xxx.xxx.xxx
  IP nat inside source static tcp 192.168.0.4 3389 3389 extensible xxx.xxx.xxx.xxx
  IP nat inside source static tcp 192.168.0.77 21 21 expandable xxx.xxx.xxx.xxx
  IP nat inside source static tcp 192.168.0.77 expandable 443 443 xxx.xxx.xxx.xxx
  IP nat inside source static tcp 192.168.0.4 1723 1723 extensible xxx.xxx.xxx.xxx
  IP nat inside source static tcp 192.168.0.3 3389 3389 extensible xxx.xxx.xxx.xxx
  IP route 0.0.0.0 0.0.0.0 Dialer0
  !
  CRDPM extended IP access list
  Note = 128 SDM_ACL category
  IP enable any host 192.168.0.4
  SDM_GRE extended IP access list
  Note the category CCP_ACL = 0
  allow a gre
  TSRDP extended IP access list
  Note = 128 SDM_ACL category
  IP enable any host 192.168.0.8
  !
  recording of debug trap
  Note access-list 1 INSIDE_IF = Vlan1
  Remark SDM_ACL category of access list 1 = 2
  access-list 1 permit 192.168.0.0 0.0.0.255
  Access-list 100 = 128 SDM_ACL category note
  access-list 100 permit ip 255.255.255.255 host everything
  access-list 100 permit ip 127.0.0.0 0.255.255.255 everything
  access-list 100 permit ip 81.142.74.120 0.0.0.7 everything
  access-list 100 permit any one
  Remark SDM_ACL category of access list 101 = 0
  IP access-list 101 permit any host 192.168.0.3
  Note access-list 102 SDM_ACL category = 0
  IP access-list 102 permit any host 192.168.0.77
  Note access-list 103 SDM_ACL category = 0
  IP access-list 103 allow any host 192.168.0.77
  Note 104 CCP_ACL category = 0 access-list
  IP access-list 104 allow any host 192.168.0.4
  104 permit any one access-list
  Dialer-list 1 ip protocol allow
  not run cdp

  !
  !
  !
  !
  !
  control plan
  !
  !
  connection of the banner ^ CThis is a managed router if you are not the administrator of this router please close now ^ C
  !
  Line con 0
  no activation of the modem
  line to 0
  line vty 0 4
  privilege level 15
  local connection
  transport input telnet ssh
  !
  max-task-time 5000 Planner
  end

  Any help would be great

  Thank you very much

  Hi Alex,

  In the configuration, I see you have inspected the GRE traffic on the network. ZBF cannot be inspected no - IP traffic must be defined 'pass' to that action while keeping the action "inspect" for pptp traffic. Once you do this, you will also need to 'pass' traffic WILL return to the area to the area.

  If this still doesn't resolve your problem, turn on the audit trail using "ip inspect the audit trail" and check the logs to see what traffic ZBF drops and acts accordingly.

  Tanveer Dewan

  [email protected] / * /.

• PIX501 VPN PPTP: I have to browse the internet side remote via my VPN server

  Hello

  IM using PPTP for remote access to my server VPN, its power remotely connect to LAN, but I did not have Internet access on the remote side is that I need...

  IM using windows PPTP client and he has to select the "use default gateway on remote network": but still does not.

  Could you help me, thanks in advance

  Rolando

  6.3 (5) PIX version
  interface ethernet0 car
  interface ethernet1 100full
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  fixup protocol dns-length maximum 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  !
  inside_access_in ip access list allow a whole
  Note outside_access_in list of outdoor access
  access-list outside_access_in allow icmp a whole
  inside_outbound_nat0_acl ip access list allow any 192.168.1.200 255.255.255.248
  pager lines 24
  the history of logging alerts
  ICMP allow all outside
  Outside 1500 MTU
  Within 1500 MTU
  IP address outside of *. *. *. * 255.255.255.248
  IP address inside 192.168.1.1 255.255.255.0
  alarm action IP verification of information
  alarm action attack IP audit
  IP pool local remote_users 192.168.1.200 - 192.168.1.205
  !
  PDM logging 100 information
  history of PDM activate
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_outbound_nat0_acl
  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
  Access-group outside_access_in in interface outside
  inside_access_in access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 *. *. *. *
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  AAA-server GANYMEDE + 3 max-failed-attempts
  AAA-server GANYMEDE + deadtime 10
  RADIUS Protocol RADIUS AAA server
  AAA-server RADIUS 3 max-failed-attempts
  AAA-RADIUS deadtime 10 Server
  AAA-server local LOCAL Protocol
  Enable http server
  enable floodguard
  Sysopt connection permit-pptp
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  VPDN PPTP-VPDN-group accept dialin pptp
  VPDN group PPTP-VPDN-GROUP ppp mschap authentication
  VPDN group PPTP-VPDN-GROUP ppp encryption mppe auto
  VPDN group configuration client PPTP-VPDN-GROUP address local remote_users
  VPDN group VPDN GROUP-PPTP client configuration dns 200.57.2.108 200.57.7.61
  VPDN group VPDN GROUP-PPTP pptp echo 60
  VPDN group VPDN GROUP-PPTP client for local authentication
  VPDN username * password *.
  VPDN allow outside
  VPDN allow inside
  dhcpd address 192.168.1.100 - 192.168.1.199 inside
  dhcpd dns 200.57.2.108 200.57.7.61
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd outside auto_config
  dhcpd allow inside

  The PIX cannot re - route traffic to the Internet because it's a feature supported on version 7.x and higher. You cannot execute code on PIX501 7.x.

  You can send all traffic through the tunnel (for the PIX) and have the PIX route this traffic to a router internal (on the head), then rewritten the PIX to the Internet.

  Federico.

• How to limit the outbound connection PPTP VPN client

  We have an ASA and inspect enable pptp. However, is there a way to allow pptp connections out of our LAN 192.168.0.0 to certain specific IP on the internet like 88.88.88.88 and 89.89.89.89 through ACL? Right now, users can connect to any VPN PPTP out as they see fit.

  I tried with NAT with no luck

  This is the error message I got before you inspect enable them pptp.

  3. July 3, 2007 13:36:33 | 305006: failure of the regular creation of translation for the internal protocol 47 CBC: 192.168.1.199 outside dst: 66.201.201.207

  and this is our config (previously inspect pptp):

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  ExchangeOWA tcp service object-group

  Description Exchange Web and Mobile Access

  EQ smtp port object

  EQ object of the https port

  port-object eq www

  inside_nat0_outbound list of allowed ip extended access any 192.168.100.0 255.255.255.192

  permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.222.0 255.255.255.0

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.111.0 255.255.255.0

  access-list extended dzm ip allowed any one

  access-list extended dzm permit icmp any one

  list of external extended ip access allowed a whole

  cont_in list extended access permit ip host 66.66.66.135 all

  access list outside extended permit tcp any host 66.66.66.133 object - group ExchangeOWA

  list of extended outside access permit tcp any host 66.66.66.137 eq pptp

  outside allowed extended access will list any host 66.66.66.137

  access list outside extended permit icmp any any echo response

  permit outside_cryptomap_20 to access extended list ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0

  Split_tunnel_ACL list standard access allowed 192.168.0.0 255.255.0.0

  outside_cryptomap_80 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.111.0 255.255.255.0

  outside_cryptomap_60 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.222.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  mask of 192.168.100.1 - local 192.168.100.50 BBBB-pool IP 255.255.255.0

  ICMP allow all outside

  ICMP allow any inside

  ASDM image disk0: / asdm512 - k8.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Global interface 10 (external)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 10 0.0.0.0 0.0.0.0

  static (inside, outside) 66.66.66.133 tcp smtp 192.168.1.16 smtp netmask 255.255.255.255

  static (inside, outside) tcp 66.66.66.133 www 192.168.1.16 www netmask 255.255.255.255

  static (inside, outside) 66.66.66.133 tcp https 192.168.1.16 https netmask 255.255.255.255

  public static 66.66.66.134 (Interior, exterior) 172.30.1.50 netmask 255.255.255.255

  public static 66.66.66.137 (Interior, exterior) 192.168.1.10 netmask 255.255.255.255

  outside access-group in external interface

  Route outside 0.0.0.0 0.0.0.0 66.66.66.129 1

  Route inside 192.168.1.0 255.255.255.0 192.168.10.2 1

  Route inside 172.30.1.0 255.255.255.0 192.168.10.2 1

  Route inside 172.20.20.0 255.255.255.0 192.168.10.2 1

  Route inside 192.168.101.0 255.255.255.0 192.168.10.2 1

  Route inside 192.168.102.0 255.255.255.0 192.168.10.2 1

  Route inside 192.168.103.0 255.255.255.0 192.168.10.2 1

  Route inside 192.168.106.0 255.255.255.0 192.168.10.2 1

  Route inside 192.168.6.0 255.255.255.0 192.168.10.2 1

  Route inside 192.168.3.0 255.255.255.0 192.168.10.2 1

  Route inside 192.168.2.0 255.255.255.0 192.168.10.2 1

  Timeout xlate 03:00

  If you added the acl exactly as it appears above, it would not need to specifically allow http and https as the 2nd to last line is to allow an entire ip.

• 6.2 (2) PIX; PPPoE and PPTP

  I am running a PIX501 and PPPoE; Having problems connecting to the PPTP Corp server. If I replace the PIX with a Linksys NAT box everything works fine. I'm not having other problems of connectivity with PIX.

  puzzled

  The PIX does not support PPTP connections thru PAT until the next version of the code, v6.3, to be released in late March, if all goes well.