Steve, Good news and bad news... and some other options.
The good news is, you can get pass-thru to work on your PIX. The bad news is you'll need a more recent PIX OS. "PIX versions 6.3 and later support PPTP pass through or PPTP over PAT using the PPTP fixup feature." Details for the use of this fixup can be found here: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration _guide_chapter09186a008017278b.html#wp1080708 In case moving to 6.3 is not an option for you, here are some other ideas. There are two methods for handling the PPP authentication part of non-pass-thru PPTP. You can use either AAA or the PIX's local user database. For MPEE compatibility, Cisco says to stick with Funk RADIUS, Cisco Secure ACS for Windows, or Microsoft Windows 2000 Internet Authentication Server. I've never been successful using Free Radius but I've heard others have. Going the AAA path, you'll need a AAA server and some vpdn group commands to specify the client authentication aaa parameters. If you use the local database approach, specify the client authentication local parameter instead, and then list the PPP username and passwords with the username parameter. The trade off is scalability vs not having to screw around with a AAA server. The AAA method is a little less obvious so I'll offer a config example. SOMEPIX(config)# sysopt connection permit-pptp //This permits PPTP client connections SOMEPIX(config)# aaa-server SECURITY protocol tacacs+ SOMEPIX(config)# aaa-server SECURITY (inside) host 172.16.131.236 secretkey //These two point authentication at the AAA server behind your inside interface. SOMEPIX(config)# SOMEPIX(config)# access-list NONAT ip 172.16.0.0 255.255.0.0 172.16.254.0 255.255.255.0 SOMEPIX(config)# nat (inside) 0 access-list NONAT //The ACL and NAT statements prevent NAT between the PPP client and the internal networks SOMEPIX(config)# SOMEPIX(config)# ip local pool ADDRESS 172.16.132.1-172.16.132.254 //This assigns an address pool for the PPP clients SOMEPIX(config)# SOMEPIX(config)# vpdn group USERS accept dial-in pptp //This just tells the PIX to handle PPTP connections. SOMEPIX(config)# vpdn group USERS ppp authentication mschap //Don't forget to force it to do MSCHAP SOMEPIX(config)# vpdn group USERS ppp encryption mppe auto required //Setting MPPE AUTO REQUIRED negotiates either a 40-bit or 128-bit session key and requires encryption. Pay attention to this - if the client doesn't support encryption then the connection won't be completed. SOMEPIX(config)# vpdn group USERS client configuration address local ADDRESS SOMEPIX(config)# vpdn group USERS client configuration dns 172.16.131.98 SOMEPIX(config)# vpdn group USERS client configuration wins 172.16.131.98 SOMEPIX(config)# vpdn group USERS client authentication aaa SECURITY SOMEPIX(config)# vpdn enable outside //And that's it - not so bad huh. You can do a SH VPDN TUNNEL to see if everything is working as expected. I hope you find something of value in this response. Good luck. Ryan -----Original Message----- From: Steve Hoffman [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 5:00 PM To: Triangle Linux Users Group discussion list Subject: [TriLUG] Cisco PIX 515 I have a cisco PIX 515 firewall running OS 6.0. I'm trying to get it to allow PPTP pass through, but am coming up empty. I'm connecting to a Windows VPN which I can't change, although I was first trying to connect with pptpclient for linux so this is On Topic! That kept failing so I tried to connect from a win box and got the same results. I'm almost positive the PIX is to blame as there is no error on the VPN server (in fact, no indication a connection was even made) but I am able to connect fine from inside the network using the same pptpclient config on a different machine, but that's pretty much useless to me as I want to connect from home. Does anyone know how to configure that? From all I've read on the net, I need a newer version of the OS, but haven't been able to find it anywhere. I'm hoping someone just knows how to enable the passthrough as trying to purchase OS upgrades from Cisco has always been a nightmare. I've opened up port 1723 on the pix and can telnet to it fine, not that I know what to type once I get to the prompt. Any suggestions welcome and greatly appreciated! Thanks, Steve -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
