Re: Cisco PIX 501 private addressing

---

• From: roberson@xxxxxxxxxxxxxxxxxx (Walter Roberson)
• Date: Thu, 15 Dec 2005 04:37:11 +0000 (UTC)

---

In article <1134613164.314223.108780@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
ping <wterng@xxxxxxxxx> wrote:
>Is it possible to configure PPTP VPN to work in the below
>configuration?

>Currently PIX 501 sits behind an ADSL router. External interface is not
>getting public IP, but DHCP assignment by ADSL router(192.168.1.0/24).
>The internal interface has DHCP Server configured to lease IP of
>172.16.1.0/16 to the internal network. Do I need to configure any port
>forwarding in ADSL router? If so, which port should I forward?

PPTP needs UDP 1723 and GRE (IP protocol 47 -- not a TCP or UDP port!)

>I thought of using PPPoE in PIX 501, disable the NAT & change to bridge
>mode for ADSL router. Do you think this will work?

Yes, that is a common setup.

>By default is the
>VPN traffic filtered through access list?

Yes, but turning off that filtering is done so often in so
many examples that most people mistake the step as just being
yet another magical part of creating a VPN.

In particular, if you have sysopt connection permit-pptp
then your PPTP traffic will NOT be filtered by the ACLs.
The default from the factory is for that not enabled: when it
is not enabled, then VPN traffic is filtered by the inside ACL
for outgoing traffic and by the outside ACL for incoming traffic.
Therefore, with a single step you can turn off all the PPTP access
controls -- or you can take advantage of access controls to be
very picky about where the pptp users can access.

>How to configure port forwarding in PIX 501?

You don't need it for the configuration you've outlined.

When you are using pptp you very likely associate the vpdn group
with an ip address pool of private (RFC1918) IPs, and you
very likely configure an access list annd use
nat (inside) 0 access-list ACLNAME
As well as turning off address translation for the tunneled traffic,
it has the side effect of turning off the need to use 'static'
or "policy nat" in order to configure port forwarding for VPN users.
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest
.

---

• References:
  • Cisco PIX 501 private addressing
    • From: ping

• Prev by Date: Re: PIX 6.3(5) kill ssh session?
• Next by Date: Re: Configuring Cisco for PPP T1
• Previous by thread: Cisco PIX 501 private addressing
• Next by thread: PIX Syslog
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: VPN Assistance ... This will expose port 1723 on th Pix to only these ... Glad it's working - now try to convince the client that using the Cisco ... client is more secure than using PPTP. ... IPSec VPN ... (microsoft.public.windows.server.sbs) RE: VPN Assistance ... Glad it's working - now try to convince the client that using the Cisco VPN ... You'll need to use the SBS box as a PPTP server in this ... Unless of course you can pull a NIC out and use the Pix on it's own ... (microsoft.public.windows.server.sbs) RE: VPN Assistance ... Yes, with 2 NIC's, you are not going to be able to use the Cisco IPSec VPN ... Unless of course you can pull a NIC out and use the Pix on it's own ... The commands you need for the Pix to allow PPTP passthrough are: ... (microsoft.public.windows.server.sbs) Re: Need a VPN solution for 25 users..already own PIX 515UR ... a PIX 515UR with version 7 of the IOS and an ISA server. ... better VPN solution that can do what we do now plus make sure that the ... because those PPTP sessions are not terminating on the PIX ... somehow get the IAS to cooperate (and that's provided that PPTP even ... (comp.dcom.sys.cisco) Re: VPN PPTP problem ... Why the PPTP and GRE packets receive the SBS but the PPTP ... VPN cannot establish? ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)