Because GRE (IP Protocol 47) is a protocol, and not a TCP/UDP port, the PIX doesn't know how to deal with it using only port address translation. This is fair, since GRE contains no port information, so it would be difficult for the PIX to work out where to send the return traffic without a port to use for de-multiplexing.
To make this work, you will need to have a static IP translation for that address. Here's what's happening: First there is some control information exchanged over TCP port 1723. That includes the username and password checking, from memory - the reason it hangs there is that as soon as that is finished the VPN dialer expects GRE traffic to start flowing to confirm the connection. All this is working fine, since PAT works for TCP. As soon as the first GRE packet leaves outbound, your ACL permits it, and passes it to NAT. NAT then completely fails to figure out how it can create a "regular" (IP) NAT translation with no IP addresses allocated to a non-PAT pool. In theory, the PIX could just add an IP translation for all GRE traffic, and then just fail for the _next_ IP address to try and use GRE. This is the way a Cisco router would handle it. I presume that they chose not to do it that way on purpose. Cheers, -- Ben Nagy Network Security Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Jay > Christopherson > Sent: Saturday, March 23, 2002 10:41 AM > To: [EMAIL PROTECTED] > Subject: Windows to Windows VPN through PIX > > > Hey all- > New to VPN's, but competent with PIX. I have a PIX running > 6.1.1, brand new. I need to allow an internal windows host > to establish a VPN connection with an external Windws host. > All traffic goes through the PIX. > > I only have a single address, and it is on the outside > interface, so all internal hosts are port address translated. > I am not sure if this is the cause of the problem. I know > that 6.1.1 allows for port forwarding via static > translations, and this may be part fo the eventual solution > (see error below). > > I have added this to the inside access-list: > access-list acl_inside permit gre host 192.168.1.3 host > xxx.xxx.xxx.xxx > > which took care of part of the problem. However, when I try > to establish the connection, the connection times out at the > verifying username/password stage and the pix log shows this: > > 305006: regular translation creation failed for protocol 47 > src inside:192.168.1.3 dst outside:xxx.xxx.xxx.xxx > > I cannot seem to find a reference to this particular error on > google... > > Anyone? > > Thanks- > JC _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
