Thanks for the excellent explanation. And thanks to Ken and everyone else who responded.
- JAy Thus spake Ben Nagy ([EMAIL PROTECTED]): > Because GRE (IP Protocol 47) is a protocol, and not a TCP/UDP port, the > PIX doesn't know how to deal with it using only port address > translation. This is fair, since GRE contains no port information, so it > would be difficult for the PIX to work out where to send the return > traffic without a port to use for de-multiplexing. > > To make this work, you will need to have a static IP translation for > that address. > > Here's what's happening: First there is some control information > exchanged over TCP port 1723. That includes the username and password > checking, from memory - the reason it hangs there is that as soon as > that is finished the VPN dialer expects GRE traffic to start flowing to > confirm the connection. All this is working fine, since PAT works for > TCP. As soon as the first GRE packet leaves outbound, your ACL permits > it, and passes it to NAT. NAT then completely fails to figure out how it > can create a "regular" (IP) NAT translation with no IP addresses > allocated to a non-PAT pool. > > In theory, the PIX could just add an IP translation for all GRE traffic, > and then just fail for the _next_ IP address to try and use GRE. This is > the way a Cisco router would handle it. I presume that they chose not to > do it that way on purpose. > > Cheers, > > -- > Ben Nagy > Network Security Specialist > Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Jay > > Christopherson > > Sent: Saturday, March 23, 2002 10:41 AM > > To: [EMAIL PROTECTED] > > Subject: Windows to Windows VPN through PIX > > > > > > Hey all- > > New to VPN's, but competent with PIX. I have a PIX running > > 6.1.1, brand new. I need to allow an internal windows host > > to establish a VPN connection with an external Windws host. > > All traffic goes through the PIX. > > > > I only have a single address, and it is on the outside > > interface, so all internal hosts are port address translated. > > I am not sure if this is the cause of the problem. I know > > that 6.1.1 allows for port forwarding via static > > translations, and this may be part fo the eventual solution > > (see error below). > > > > I have added this to the inside access-list: > > access-list acl_inside permit gre host 192.168.1.3 host > > xxx.xxx.xxx.xxx > > > > which took care of part of the problem. However, when I try > > to establish the connection, the connection times out at the > > verifying username/password stage and the pix log shows this: > > > > 305006: regular translation creation failed for protocol 47 > > src inside:192.168.1.3 dst outside:xxx.xxx.xxx.xxx > > > > I cannot seem to find a reference to this particular error on > > google... > > > > Anyone? > > > > Thanks- > > JC _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
