• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN though Cisco PIX

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN though Cisco PIX Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN though Cisco PIX - 17.Sep.2004 11:45:00 AM   
Guest
Hi,

I have a back to back (PIX - ISA 2004) firewall architecture.
I want to passthrough the VPN PPTP traffic to ISA 2004, and use the advanced VPN solution, ISA has to offer.

I tried to set 1723 and GRE access lists on the PIX, but no go.
I'm using the private C class range between the PIX internal interface and ISA external interface.

Does anyone have some experience eith this?

Thanx

John
  Post #: 1
RE: VPN though Cisco PIX - 17.Sep.2004 12:48:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi John,

PIX is a relatively unsophisticated packet filter. Does it even have a PPTP NAT editor?

Thanks!
Tom

(in reply to Guest)
Post #: 2
RE: VPN though Cisco PIX - 17.Sep.2004 2:05:00 PM   
Guest
Hi,

Not that I know of!
In this article: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=000989
, Rick stated that he had solved the problem.
I tried that approach but I've failed.
I have the other info stating that you can do it, but you have to have public adresses on both sides of Cisco PIX.

It would be great if Rick would see this post, and tell his experience, or if someone can help.

This is really important to me.
Thanx

John

(in reply to Guest)
  Post #: 3
RE: VPN though Cisco PIX - 17.Sep.2004 2:09:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi John,

If you need public addresses, that indicates that the pix doesn't have a NAT editor, which is what I heard from a buddy of mine who used to use PIX until he discovered the new ISA firewall.

If you use an ISA firewall instead of the PIX, its quite simple to publish a PPTP VPN server. In fact, I have an article that I'll be publishing this weekend on the exact procedures on how to do it.

HTH,
Tom

(in reply to Guest)
Post #: 4
RE: VPN though Cisco PIX - 17.Sep.2004 3:25:00 PM   
Guest
Hi,

I need this particular issue solved. Please, don't ask why ;-)

I've configured back2back ISA 2000 and ISA 2004 VPN Passthrough many times, but this PIX-ISA thing is making me nervous right now.

If some Cisco PIX master can post some useful thoughts, it would be great.

Thanx

John

(in reply to Guest)
  Post #: 5
RE: VPN though Cisco PIX - 19.Sep.2004 9:52:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi John,

I'll ask my PIX buddy and see if he has a definitve answer for us.

Thanks!
Tom

(in reply to Guest)
Post #: 6
RE: VPN though Cisco PIX - 20.Nov.2004 5:42:00 AM   
erickufrin

 

Posts: 58
Joined: 15.Apr.2003
From: Milwaukee, WI
Status: offline
I am also wanting to allow inbound access to an ISA 2k4 VPN server behind a PIX. If someone gets this working or already has, please post the steps.

Thanks

Eric Kufrin

(in reply to Guest)
Post #: 7
RE: VPN though Cisco PIX - 29.Nov.2004 9:58:00 PM   
ski737

 

Posts: 5
Joined: 29.Nov.2004
From: TN
Status: offline
I am also struggling with this configuration. If anyone has any success please post.

Thanks

Ski

(in reply to Guest)
Post #: 8
RE: VPN though Cisco PIX - 20.Dec.2004 3:00:00 AM   
fnpf

 

Posts: 1
Joined: 20.Dec.2004
Status: offline
I'm also trying to setup this up i.e PIX 506e to a ISA 2000 Firewall and am interested in this solution,
I have managed to setup authenication using Radius of the ISA using this article however after logging in with the VPN client am unable to access the Internal LAN,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
also we need to open
Open UDP 1645 Port for Authenication

I'd post if I make further progress

(in reply to Guest)
Post #: 9
RE: VPN though Cisco PIX - 21.Dec.2004 12:45:00 PM   
JasonM

 

Posts: 36
Joined: 11.Mar.2003
From: JHB
Status: offline
Hi guys

I have this working. You need to open GRE & TCP/1723 from the Internet to the internal PPTP server, AND allow GRE traffic from the Internal server out to the internet (on the PIX).

You will also need to do a static (1-1) NAT on the PIX, and not just a PAT for port 1723 as you can do on many versions of IOS.

As a side note, PIX 6.3+ has a PPTP NAT editor, and will allow outgoing PPTP connections by using the "fixup protocol pptp" command. This is not required for the above config though.

HTH

Jason

(in reply to Guest)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN though Cisco PIX Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts