Can you explain what the TCP port 1723 is? Is that negotiation part of the standard or rfc? Thanks
At 05:13 PM 3/23/2002 +1030, Ben Nagy wrote: >Because GRE (IP Protocol 47) is a protocol, and not a TCP/UDP port, the >PIX doesn't know how to deal with it using only port address >translation. This is fair, since GRE contains no port information, so it >would be difficult for the PIX to work out where to send the return >traffic without a port to use for de-multiplexing. > >To make this work, you will need to have a static IP translation for >that address. > >Here's what's happening: First there is some control information >exchanged over TCP port 1723. That includes the username and password >checking, from memory - the reason it hangs there is that as soon as >that is finished the VPN dialer expects GRE traffic to start flowing to >confirm the connection. All this is working fine, since PAT works for >TCP. As soon as the first GRE packet leaves outbound, your ACL permits >it, and passes it to NAT. NAT then completely fails to figure out how it >can create a "regular" (IP) NAT translation with no IP addresses >allocated to a non-PAT pool. > >In theory, the PIX could just add an IP translation for all GRE traffic, >and then just fail for the _next_ IP address to try and use GRE. This is >the way a Cisco router would handle it. I presume that they chose not to >do it that way on purpose. > >Cheers, > >-- >Ben Nagy >Network Security Specialist >Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Jay > > Christopherson > > Sent: Saturday, March 23, 2002 10:41 AM > > To: [EMAIL PROTECTED] > > Subject: Windows to Windows VPN through PIX > > > > > > Hey all- > > New to VPN's, but competent with PIX. I have a PIX running > > 6.1.1, brand new. I need to allow an internal windows host > > to establish a VPN connection with an external Windws host. > > All traffic goes through the PIX. > > > > I only have a single address, and it is on the outside > > interface, so all internal hosts are port address translated. > > I am not sure if this is the cause of the problem. I know > > that 6.1.1 allows for port forwarding via static > > translations, and this may be part fo the eventual solution > > (see error below). > > > > I have added this to the inside access-list: > > access-list acl_inside permit gre host 192.168.1.3 host > > xxx.xxx.xxx.xxx > > > > which took care of part of the problem. However, when I try > > to establish the connection, the connection times out at the > > verifying username/password stage and the pix log shows this: > > > > 305006: regular translation creation failed for protocol 47 > > src inside:192.168.1.3 dst outside:xxx.xxx.xxx.xxx > > > > I cannot seem to find a reference to this particular error on > > google... > > > > Anyone? > > > > Thanks- > > JC > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
