PPTP VPN and PPPOE CLIENT ON PIX 501

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Guest

PPTP VPN and PPPOE CLIENT ON PIX 501

Post by Guest » Sun Jul 18, 2010 12:23 pm

Hi, Can I create a PPTP VPN and a client connection on a PIX 501 with a PPPOE client connection to my ISP. The PPPOE ip is dynamic and the VPN will have a static IP. They gave me a username and password for the VPN and PPPOE. The also gave me a ip for the VPN server. What needs to happen is that the PPPOE must connect for the VPN to work. I can only get the PPPOE up, but dont know how to do this with a PPTP VPN together. Here is my config:PIX Version 6.33interface ethernet0 autointerface ethernet1 100fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password xxxxxxxx encryptedpasswd xxxxxxx encryptedhostname neveroffdomain-name neveroff.comfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69namesaccess-list incoming permit icmp any any echo-replyaccess-list incoming permit icmp any any source-quenchaccess-list incoming permit icmp any any unreachableaccess-list incoming permit icmp any any time-exceededpager lines 24icmp permit any echo outsideicmp permit any unreachable outsideicmp permit any time-exceeded outsideicmp permit any source-quench outsideicmp permit any echo-reply outsideicmp permit any information-reply outsideicmp permit any mask-reply outsideicmp permit any timestamp-reply outsidemtu outside 1500mtu inside 1500ip address outside pppoe setrouteip address inside 192.168.1.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm logging informational 100pdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 1 192.168.1.0 255.255.255.0 0 0static (inside,outside) tcp interface smtp 192.168.1.201 smtp netmask 255.255.255.255 0 0access-group incoming in interface outsidetimeout xlate 0:05:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localhttp server enableno snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enabletelnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh 0.0.0.0 0.0.0.0 insidessh timeout 5console timeout 0vpdn group pppoex request dialout pppoevpdn group pppoex localname xxxxxxxxxvpdn group pppoex ppp authentication chapvpdn username xxxxxxxx password xxxxxxxxdhcpd address 192.168.1.10-192.168.1.41 insidedhcpd dns 192.168.1.1 168.210.2.2dhcpd lease 3600dhcpd ping_timeout 750dhcpd auto_config outsidedhcpd enable insideusername neveroff password TEnlGTQMwqamBzMn encrypted privilege 2terminal width 80Cryptochecksum:c5bfafa70f21ed55cc1b3df377e110bf: endThank youEtienne

Guest

Re:PPTP VPN and PPPOE CLIENT ON PIX 501

Post by Guest » Sun Jul 18, 2010 12:40 pm

PIX firewall can not act as a PPTP client, only PC/laptop can act as a PPTP client.I don quite understand what you mean by VPN will have static IP? Are you trying to connect to your ISP via PPTP? or you would like to connect to your PIX remotely via PPTP? PIX firewall can be configured as PPTP server, but not as PPTP client.

Guest

Re:PPTP VPN and PPPOE CLIENT ON PIX 501

Post by Guest » Sun Jul 18, 2010 1:11 pm

Hi, Cool, this answerd my question. Now I know that a PIX can only be a PPTP server. See for me to use the static IP, that I will get from the PPTP connection to the ISP I have to create it on my Server. I will allow port 1723 to passthrought the PIX then to the server. Thank you for the info. Etienne

Guest

Re:PPTP VPN and PPPOE CLIENT ON PIX 501

Post by Guest » Sun Jul 18, 2010 1:22 pm

OK, that makes sense. But I don know how the ISP will assign static ip address for your PPTP server, how would the routing work? How would they route the static IP address, and how would you connect that to the ISP? In any case, if you are going to passthrough PPTP traffic via the PIX, you would need to configure the following:1) Static port address redirection for TCP/17232) "fixup protocol pptp 1723" to allow the PIX to automatically create GRE tunnel after the PPTP control connection.3) ACL on the outside interface to allow TCP/1723 through. Please check out the command reference for "fixup protocol pptp 1723":http://www.cisco.com/en/US/docs/securit ... #wp1067379 Hope that helps.

Guest

Re:PPTP VPN and PPPOE CLIENT ON PIX 501

Post by Guest » Sun Jul 18, 2010 2:22 pm

Thank you. I am going to cancel with the ISP and move to someone els. They have sold the wrong solution, will not catch me out again. Thank you for the help. Etienne

Post Reply