有關firewall內的user要連到客戶的vpn

**a4098** · 2004-04-22, 09:13 AM

各位先進
有一個問題要請較各位，公司的防火牆是使用cisco pix
現在有家客戶需我們內部user使用win2k的pptp連到客戶的server
我在防火牆上要做什麼設定，因為現在如果在防火牆內
是沒有辨法連上客戶的vpn，但在外面可以，所以問題在防火牆上
那我要如何處理，謝謝各位!!!

**ellery** · 2004-04-22, 02:53 PM

看一下該 vpn
走哪個 port
把防火牆相對應的 port 打開.

**bv2eq** · 2004-06-08, 11:10 PM

最初由 a4098 發表
各位先進
有一個問題要請較各位，公司的防火牆是使用cisco pix
現在有家客戶需我們內部user使用win2k的pptp連到客戶的server
我在防火牆上要做什麼設定，因為現在如果在防火牆內
是沒有辨法連上客戶的vpn，但在外面可以，所以問題在防火牆上
那我要如何處理，謝謝各位!!!

Sorry I can only type in English.

What version is your PIX OS?

You need to at least have PIX OS 6.2(x) in order to use PAT to support PPTP pass through. But 6.3(3) seems has better support for PPTP pass through.

If your PIX OS is 6.1(x), you need to give an extra WAN IP to PPTP session.

I use PIX OS 6.1(5) cause it's most stable, but I'm testing 6.3(3) and play PDM 3.01 now.(I'm command-line person, PDM and WEB/GUI configure is kind new to me.)

Best regards

Calvin

**linhoo** · 2004-06-09, 10:06 PM

最初由 bv2eq 發表
Sorry I can only type in English.

What version is your PIX OS?

You need to at least have PIX OS 6.2(x) in order to use PAT to support PPTP pass through. But 6.3(3) seems has better support for PPTP pass through.

If your PIX OS is 6.1(x), you need to give an extra WAN IP to PPTP session.

I use PIX OS 6.1(5) cause it's most stable, but I'm testing 6.3(3) and play PDM 3.01 now.(I'm command-line person, PDM and WEB/GUI configure is kind new to me.)

Best regards

Calvin

Dear Calvin:

我們公司也是用PIX 501,他的OS版本為 PIX Version 6.1(2),

底下為PIX的設定

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password mYQxRX2uf9rL.CHQ encrypted
passwd mYQxRX2uf9rL.CHQ encrypted
hostname picfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.64.58 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 202.145.64.59
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.64.57 192.168.1.254 netmask 255.255.255.255 0
conduit permit icmp any any
conduit permit tcp host xxx.xxx.64.57 eq smtp any
conduit permit tcp host xxx.xxx.64.57 eq ftp any
conduit permit tcp host xxx.xxx.64.57 eq pop3 any
conduit permit tcp host xxx.xxx.64.57 eq 1433 yyy.yyy.68.0 255.255.255.0
conduit permit udp host xxx.xxx.64.57 eq 1433 yyy.yyy.68.0 255.255.255.0
conduit permit tcp host xxx.xxx.64.57 eq 3389 yyy.yyy.68.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.64.62 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80

後來請教當初購買的廠商,他教我們下了底下的COMMAND

access-list acl_out permit gre host yyy.yyy.68.25 host xxx.xxx.64.60

我們試一下連接到VPN SERVER(yyy.yyy.68.25),每次都到連線驗證(檢查名稱密碼)部分(xxx.xxx.64.60 這一台機器)就沒辦法過

請教一下是哪裡還需要設定的嗎?
另外廠商說這個版本有點舊所以他們也不太會設定,是這樣的嗎?

THANKS~

**raytracy** · 2004-06-09, 11:03 PM

最初由 linhoo 發表
access-list acl_out permit gre host yyy.yyy.68.25 host xxx.xxx.64.60

我們試一下連接到VPN SERVER(yyy.yyy.68.25),每次都到連線驗證(檢查名稱密碼)部分(xxx.xxx.64.60 這一台機器)就沒辦法過

小弟記得, 應該不只 GRE 要讓它過, 還有 pptp 會用到的 tcp port 1723 也要通過才行...

**linhoo** · 2004-06-09, 11:19 PM

最初由 raytracy 發表
小弟記得, 應該不只 GRE 要讓它過, 還有 pptp 會用到的 tcp port 1723 也要通過才行...

SORRY!

再請教一下,COMMAND我要如何下呢?

THANKS~

**raytracy** · 2004-06-18, 03:30 PM

最初由 linhoo 發表
再請教一下,COMMAND我要如何下呢?

抱歉!! 小弟對 PIX 指令不熟悉, 您可以將小弟的建議告知廠商, 請廠商協助.

**bv2eq** · 2004-07-14, 05:17 AM

最初由 linhoo 發表
Dear Calvin:

我們公司也是用PIX 501,他的OS版本為 PIX Version 6.1(2),

底下為PIX的設定

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password mYQxRX2uf9rL.CHQ encrypted
passwd mYQxRX2uf9rL.CHQ encrypted
hostname picfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.64.58 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 202.145.64.59
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.64.57 192.168.1.254 netmask 255.255.255.255 0
conduit permit icmp any any
conduit permit tcp host xxx.xxx.64.57 eq smtp any
conduit permit tcp host xxx.xxx.64.57 eq ftp any
conduit permit tcp host xxx.xxx.64.57 eq pop3 any
conduit permit tcp host xxx.xxx.64.57 eq 1433 yyy.yyy.68.0 255.255.255.0
conduit permit udp host xxx.xxx.64.57 eq 1433 yyy.yyy.68.0 255.255.255.0
conduit permit tcp host xxx.xxx.64.57 eq 3389 yyy.yyy.68.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.64.62 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80

後來請教當初購買的廠商,他教我們下了底下的COMMAND

access-list acl_out permit gre host yyy.yyy.68.25 host xxx.xxx.64.60

我們試一下連接到VPN SERVER(yyy.yyy.68.25),每次都到連線驗證(檢查名稱密碼)部分(xxx.xxx.64.60 這一台機器)就沒辦法過

請教一下是哪裡還需要設定的嗎?
另外廠商說這個版本有點舊所以他們也不太會設定,是這樣的嗎?

THANKS~

Hi:

I'm sorry for late reply. But one thing wanna let you know before I explain anything to you.

It's really not a good idea to just post your config file include you telnet and enable password. There's a way to crack your password. Tools are available on internet for free download. Try to use "*" replace following lines:

enable password mYQxRX2uf9rL.CHQ encrypted
passwd mYQxRX2uf9rL.CHQ encrypted

enable password **************** encrypted
passwd **************** encrypted

OK, back to our topic.

Let me make it more clear.

THERE IS NO WAY YOU CAN USE PPTP VPN IN PIX OS VERSION 6.1.* PAT MODE. It's offically NOT supported in 6.1(*). You will see exactly PPTP dialer stuck in "verify use/password" then fail the connection.

The reason is not GRE protocol but PIX OS 6.1(*) don't how to handle VPN packets when they come back from your VPN server. Part of imformation is missing during PIX doing PAT process.

Solution? Upgrade to PIX OS 6.3(*) or 6.2(*) (I suggest you get 6.3(3)

I'm sorry this is a bad new to you but it's the truth.

Upgrade PIX OS Version require you "buy" a new license from CISCO. CISCO don't have "free" firmware upgrade policy.

Calvin