Hi,
I've run into a bit of a problem, I hope someone with more PIX experience
then myself can help out.
Situation: A small LAN (about 20 PCs, file server, 2 or 3 printers and an
"information server" users on the LAN telnet into) connected to the internet
via cable and a PIX 506e. The PIX is also setup as a PPTP VPN endpoint so
users can access the information server from home. That's the idea anyway.
When I connect via PPTP, I can access the file server with no problems (both
ping and by mapping a drive). I can access each PC on the LAN, each print
server. Everything except....the information server. Which was the whole
point to begin with. I don't want to simply forward port 23 TCP because
that's...well you know.
The LAN subnet is 10.1.1.0 /24. PPTP users are assigned addersses from
10.1.2.1-10.1.2.10. The PIX is 10.1.1.1. All the PCs are assigned
addresses via DHCP from the PIX. The information server was setup by a 3rd
party.
My best guess is that the info server does not have a default gateway set.
I don't have admin access to this server.
I'm not all too familiar with the PIX CLI...can I setup a static NAT for the
server so the PPTP users can gain access? Something along the lines of
10.1.2.2 translating to 10.1.1.2. Would this even have a chance of working?
I tried changing the PPTP address pool to 10.1.1.150-10.1.1.160 but I have a
feeling that will either just not work or I f'd up the syntax. Maybe I was
on the right track?
Any help is greatly appreciated.
rrfield
|
|
0
|
|
|
|
Reply
|
 Richard
|
11/20/2004 3:06:51 AM |
|
In article <fxynd.360928$wV.140549@attbi_s54>,
Richard R. Field <rrfield@NOSPAM.alumni.indiana.edu> wrote:
:via cable and a PIX 506e. The PIX is also setup as a PPTP VPN endpoint so
:When I connect via PPTP, I can access the file server with no problems (both
:ping and by mapping a drive). I can access each PC on the LAN, each print
:server. Everything except....the information server.
:The LAN subnet is 10.1.1.0 /24. PPTP users are assigned addersses from
:10.1.2.1-10.1.2.10. The PIX is 10.1.1.1.
:My best guess is that the info server does not have a default gateway set.
Sounds plausible.
:can I setup a static NAT for the
:server so the PPTP users can gain access? Something along the lines of
:10.1.2.2 translating to 10.1.1.2. Would this even have a chance of working?
I haven't worked with PPTP, so I'm not sure. I seem to recall that each
PPTP address is assigned with a 255.255.255.255 netmask, so that
(for example) broadcasts that happen to be needed for one PPTP user don't
get sent to another PPTP user. If this is true, then the PPTP users are
effectively each on separate networks, and 10.1.2.2 would be
foreign to each of them.
If the traffic that needs to be carried between the PPTP users and the
information server is pure UDP and TCP (icmp -might- work as well
but I wouldn't count on it) then it seems to me that in theory you could
set up reverse NAT. That is, you would set up:
nat (outside) 20 10.1.2.1 255.255.255.255
nat (outside) 20 10.1.2.2 255.255.255.255
nat (outside) 20 10.1.2.3 255.255.255.255
....
nat (outside) 20 10.1.2.10 255.255.255.255
global (inside) 20 10.1.1.2
This would do Port Address Translation on all of the TCP and UDP traffic
from each of the outside IP addresses defined in a 'nat 20' rule,
translating the source IP into 10.1.1.2 as it went towards your LAN.
Your information server should then see that IP as local and should
thus be able to reply to it; the replies would get un-PAT'd and sent to
the appropriate PPTP user.
If the traffic to some of the other systems doesn't fit the TCP + UDP
only model, then you could get creative with "policy nat".
--
I've been working on a kernel
All the livelong night.
I've been working on a kernel
And it still won't work quite right. -- J. Benson & J. Doll
|
|
|
0
|
|
|
|
Reply
|
roberson
|
11/20/2004 3:19:35 AM
|
|
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:cnmd47$kgv$1@canopus.cc.umanitoba.ca...
> In article <fxynd.360928$wV.140549@attbi_s54>,
> Richard R. Field <rrfield@NOSPAM.alumni.indiana.edu> wrote:
> :via cable and a PIX 506e. The PIX is also setup as a PPTP VPN endpoint
so
>
> :When I connect via PPTP, I can access the file server with no problems
(both
> :ping and by mapping a drive). I can access each PC on the LAN, each
print
> :server. Everything except....the information server.
>
> :The LAN subnet is 10.1.1.0 /24. PPTP users are assigned addersses from
> :10.1.2.1-10.1.2.10. The PIX is 10.1.1.1.
>
> :My best guess is that the info server does not have a default gateway
set.
>
> Sounds plausible.
>
> :can I setup a static NAT for the
> :server so the PPTP users can gain access? Something along the lines of
> :10.1.2.2 translating to 10.1.1.2. Would this even have a chance of
working?
>
> I haven't worked with PPTP, so I'm not sure. I seem to recall that each
> PPTP address is assigned with a 255.255.255.255 netmask, so that
> (for example) broadcasts that happen to be needed for one PPTP user don't
> get sent to another PPTP user. If this is true, then the PPTP users are
> effectively each on separate networks, and 10.1.2.2 would be
> foreign to each of them.
>
>
> If the traffic that needs to be carried between the PPTP users and the
> information server is pure UDP and TCP (icmp -might- work as well
> but I wouldn't count on it) then it seems to me that in theory you could
> set up reverse NAT. That is, you would set up:
>
> nat (outside) 20 10.1.2.1 255.255.255.255
> nat (outside) 20 10.1.2.2 255.255.255.255
> nat (outside) 20 10.1.2.3 255.255.255.255
> ...
> nat (outside) 20 10.1.2.10 255.255.255.255
>
> global (inside) 20 10.1.1.2
>
> This would do Port Address Translation on all of the TCP and UDP traffic
> from each of the outside IP addresses defined in a 'nat 20' rule,
> translating the source IP into 10.1.1.2 as it went towards your LAN.
> Your information server should then see that IP as local and should
> thus be able to reply to it; the replies would get un-PAT'd and sent to
> the appropriate PPTP user.
>
> If the traffic to some of the other systems doesn't fit the TCP + UDP
> only model, then you could get creative with "policy nat".
> --
> I've been working on a kernel
> All the livelong night.
> I've been working on a kernel
> And it still won't work quite right. -- J. Benson & J. Doll
Thanks for the suggestion Walter. The problem was what I suspected, the
server had the default gateway wrong. I called tech support, they walked me
through the process and all is well. I didn not get a chance to try your
sugestions, but thanks for the reply.
rf
|
|
|
0
|
|
|
|
Reply
|
Richard
|
11/24/2004 3:49:58 AM
|
|
|
2 Replies
295 Views
(page loaded in 0.073 seconds)
Similiar Articles: PIX, PPTP and static NAT? - comp.dcom.sys.ciscoHi, I've run into a bit of a problem, I hope someone with more PIX experience then myself can help out. Situation: A small LAN (about 20 PCs, file ... NAT/PAT, Port Redirection On Cisco PIX - comp.dcom.sys.cisco ...PIX, PPTP and static NAT? - comp.dcom.sys.cisco NAT/PAT, Port Redirection On Cisco PIX - comp.dcom.sys.cisco ... PIX, PPTP and static NAT? - comp.dcom.sys.cisco... nat ... PIX 6.3.4 - Hide NAT before VPN - comp.dcom.sys.cisco... see Cisco doc "PIX/ASA 7.x and VPN Client for Public ... actually I followed that document before ... and static NAT? - comp.dcom.sys.cisco PIX, PPTP and static NAT ... Cisco Router NAT and protocol 41 - comp.dcom.sys.ciscoPIX, PPTP and static NAT? - comp.dcom.sys.cisco Cisco Router NAT and protocol 41 - comp.dcom.sys.cisco PIX, PPTP and static NAT? - comp.dcom.sys.cisco Cisco router 831 ... Help! Static NAT failed to work -- NAT overload issue? - comp.dcom ...PIX, PPTP and static NAT? - comp.dcom.sys.cisco... into a bit of a problem, I hope someone with more PIX experience then myself can help out. ... either just not work or ... NAT on both interfaces. PIX - comp.dcom.sys.ciscoConfigure Network Address Translation (NAT) Configure PIX System ... ... the inside Interface of a pix. ... Port Forwarding - comp.dcom.sys.cisco PIX, PPTP and static NAT ... Cisco router 831 PPTP VPN setup - comp.dcom.sys.ciscoPIX, PPTP and static NAT? - comp.dcom.sys.cisco LAN tunnel, but this requires that both peers have static ... Cisco router 831 PPTP VPN setup - comp.dcom.sys.cisco VPN ... asa 5505 not nat problem - comp.dcom.sys.ciscoPPTP split-tunnel - comp.dcom.sys.cisco... ASA split tunnel problems - comp.dcom.sys.cisco... 222 outside[ASA 5505]inside 192.168.1 ... PIX, PPTP and static NAT ... how to do both PPTP and L2TP/IPsec - comp.dcom.sys.cisco ...PIX, PPTP and static NAT? - comp.dcom.sys.cisco... but this requires that both peers have static ... Cisco router 831 PPTP VPN ... Permitting PPTP/L2TP Connections ... NAT translate past 2 hops? - comp.dcom.sys.ciscoI have used it in the past and found it very helpful in ... blocked, the tracetcp utility will give you the last hop ... PIX, PPTP and static NAT? - comp.dcom.sys.cisco ... PIX, PPTP and static NAT? - comp.dcom.sys.cisco | Computer GroupHi, I've run into a bit of a problem, I hope someone with more PIX experience then myself can help out. Situation: A small LAN (about 20 PCs, file ... Permitting PPTP/L2TP Connections Through the PIX/ASA/FWSM - Cisco ...You do not need to define a static mapping because the PIX now inspects PPTP traffic. You can use PAT. pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0 pixfirewall ... 7/23/2012 12:20:04 AM
|
Search |
Post Question |
Groups |
Stream |
About |
Register
24 followers. 