[TriLUG] Cisco PIX 515

Ryan Leathers Ryan.Leathers at globalknowledge.com
Wed Mar 2 08:56:31 EST 2005


Steve,

Good news and bad news... and some other options.

The good news is, you can get pass-thru to work on your PIX.  The bad news
is you'll need a more recent PIX OS.  "PIX versions 6.3 and later support
PPTP pass through or PPTP over PAT using the PPTP fixup feature."  Details
for the use of this fixup can be found here:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration
_guide_chapter09186a008017278b.html#wp1080708

In case moving to 6.3 is not an option for you, here are some other ideas.
There are two methods for handling the PPP authentication part of
non-pass-thru PPTP. You can use either AAA or the PIX's local user database.


For MPEE compatibility, Cisco says to stick with Funk RADIUS, Cisco Secure
ACS for Windows, or Microsoft Windows 2000 Internet Authentication Server.
I've never been successful using Free Radius but I've heard others have. 

Going the AAA path, you'll need a AAA server and some vpdn group commands to
specify the client authentication aaa parameters. If you use the local
database approach, specify the client authentication local parameter
instead, and then list the PPP username and passwords with the username
parameter.  The trade off is scalability vs not having to screw around with
a AAA server.  The AAA method is a little less obvious so I'll offer a
config example.

SOMEPIX(config)#  sysopt connection permit-pptp
//This permits PPTP client connections
SOMEPIX(config)#  aaa-server SECURITY protocol tacacs+
SOMEPIX(config)#  aaa-server SECURITY (inside) host 172.16.131.236 secretkey
//These two point authentication at the AAA server behind your inside
interface.
SOMEPIX(config)#
SOMEPIX(config)#  access-list NONAT ip 172.16.0.0 255.255.0.0
                             172.16.254.0 255.255.255.0
SOMEPIX(config)#  nat (inside) 0 access-list NONAT
//The ACL and NAT statements prevent NAT between the PPP client and the
internal networks
SOMEPIX(config)#
SOMEPIX(config)#  ip local pool ADDRESS 172.16.132.1-172.16.132.254
//This assigns an address pool for the PPP clients
SOMEPIX(config)# 
SOMEPIX(config)#  vpdn group USERS accept dial-in pptp
//This just tells the PIX to handle PPTP connections.
SOMEPIX(config)#  vpdn group USERS ppp authentication mschap
//Don't forget to force it to do MSCHAP
SOMEPIX(config)#  vpdn group USERS ppp encryption mppe auto required
//Setting MPPE AUTO REQUIRED negotiates either a 40-bit or 128-bit session
key and requires encryption.  Pay attention to this - if the client doesn't
support encryption then the connection won't be completed.
SOMEPIX(config)#  vpdn group USERS client configuration
                             address local ADDRESS
SOMEPIX(config)#  vpdn group USERS client configuration
                             dns 172.16.131.98
SOMEPIX(config)#  vpdn group USERS client configuration
                             wins 172.16.131.98
SOMEPIX(config)#  vpdn group USERS client authentication aaa SECURITY 
SOMEPIX(config)#  vpdn enable outside
//And that's it - not so bad huh.  You can do a SH VPDN TUNNEL to see if
everything is working as expected.

I hope you find something of value in this response.  Good luck.

Ryan
   

-----Original Message-----
From: Steve Hoffman [mailto:srhoffman at gmail.com]
Sent: Tuesday, March 01, 2005 5:00 PM
To: Triangle Linux Users Group discussion list
Subject: [TriLUG] Cisco PIX 515


I have a cisco PIX 515 firewall running OS 6.0.  I'm trying to get it
to allow PPTP pass through, but am coming up empty.  I'm connecting to
a Windows VPN which I can't change, although I was first trying to
connect with pptpclient for linux so this is On Topic!  That kept
failing so I tried to connect from a win box and got the same results.
 I'm almost positive the PIX is to blame as there is no error on the
VPN server (in fact, no indication a connection was even made)  but I
am able to connect fine from inside the network using the same
pptpclient config on a different machine, but that's pretty much
useless to me as I want to connect from home.

Does anyone know how to configure that?  From all I've read on the
net, I need a newer version of the OS, but haven't been able to find
it anywhere.  I'm hoping someone just knows how to enable the
passthrough as trying to purchase OS upgrades from Cisco has always
been a nightmare.  I've opened up port 1723 on the pix and can telnet
to it fine, not that I know what to type once I get to the prompt.

Any suggestions welcome and greatly appreciated!


Thanks,
Steve
-- 
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc



More information about the TriLUG mailing list