How to set NT VPN behind Pix firewall???

How to set NT VPN behind Pix firewall???

Post by KOEI » Sun, 10 Jun 2001 11:25:41



Hi there

I have trouble in setting up VPN server(NT 4) behind Pix 506 firewall. I
believe I have to open the port 47 and 1723 in order to allow pptp
packet to pass through. But it still fails and I'm totally lost. Hope
someone can give direction in solving this problem.

I used the following access-list to open port 1723 and 47

access-list 100 permit tcp any host 100.100.100.100 eq 1723
access-list 100 permit tcp any host 100.100.100.100 eq 47
access-list 100 permit udp any host 100.100.100.100 eq 1723
access-list 100 permit udp any host 100.100.100.100 eq 47

Thankyou inadvance

 
 
 

How to set NT VPN behind Pix firewall???

Post by Road Runner New » Sun, 10 Jun 2001 13:06:43


Make sure that logging is on and check your logs for blocked protocols.


Quote:> Hi there

> I have trouble in setting up VPN server(NT 4) behind Pix 506 firewall. I
> believe I have to open the port 47 and 1723 in order to allow pptp
> packet to pass through. But it still fails and I'm totally lost. Hope
> someone can give direction in solving this problem.

> I used the following access-list to open port 1723 and 47

> access-list 100 permit tcp any host 100.100.100.100 eq 1723
> access-list 100 permit tcp any host 100.100.100.100 eq 47
> access-list 100 permit udp any host 100.100.100.100 eq 1723
> access-list 100 permit udp any host 100.100.100.100 eq 47

> Thankyou inadvance


 
 
 

How to set NT VPN behind Pix firewall???

Post by Ole Madse » Sun, 10 Jun 2001 21:24:06



>Hi there

>I have trouble in setting up VPN server(NT 4) behind Pix 506 firewall. I
>believe I have to open the port 47 and 1723 in order to allow pptp

ip protocol 47 (gre) required for PPTP is not the same as tcp port 47.

Quote:>packet to pass through. But it still fails and I'm totally lost. Hope
>someone can give direction in solving this problem.

>I used the following access-list to open port 1723 and 47

>access-list 100 permit tcp any host 100.100.100.100 eq 1723
>access-list 100 permit tcp any host 100.100.100.100 eq 47

should be:

access-list 100 permit gre any host 100.100.100.100

Quote:>access-list 100 permit udp any host 100.100.100.100 eq 1723

this shoud be tcp port 1723
 
 
 

How to set NT VPN behind Pix firewall???

Post by Trickste » Mon, 11 Jun 2001 05:06:02


KOEI

You need to allow protocol 47 not port 47 - GRE is another IP protocol
and not a port of UDP/TCP.

See example :

access-list 100 permit 47 any host 100.100.100.100

Regards

Rich


>Hi there

>I have trouble in setting up VPN server(NT 4) behind Pix 506 firewall. I
>believe I have to open the port 47 and 1723 in order to allow pptp
>packet to pass through. But it still fails and I'm totally lost. Hope
>someone can give direction in solving this problem.

>I used the following access-list to open port 1723 and 47

>access-list 100 permit tcp any host 100.100.100.100 eq 1723
>access-list 100 permit tcp any host 100.100.100.100 eq 47
>access-list 100 permit udp any host 100.100.100.100 eq 1723
>access-list 100 permit udp any host 100.100.100.100 eq 47

>Thankyou inadvance