Re: PIX PPTP, no NAT

From: Kenny Sallee (mischa@xxxxxxxxxxxxxx)
Date: Tue Oct 31 2000 - 03:43:53 GMT-3

• Next message: Jay Hennigan: "Re: ISDN Bri0:1"
• Previous message: Tony Medeiros: "O.T. Anybody know of a good HTTP or Ecommerce book"
• Maybe in reply to: Jim Bond: "PIX PPTP, no NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
In order to move a packet from any interface to any interface, you need some
sort of translation ( static, NAT, PAT or NAT 0 ). If you want to move a
packet from a low security interface to a high, you need a translation and a
conduit/acl. With your topology,

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

conduit permit tcp 172.16.1.1 eq 80 any

Will allow any host from the outside to connect to 172.16.1.1 on tcp port 80
( www ). All traffic from the inside to outside will be allowed to flow cuz
it's on a higher security level. In order for PPTP to work, use nat 0 on
the inside interface referencing an ACL. The ACL should permit any traffic
going from the internal network to the virtual network you setup for the
pptp users. You don't need a conduit to allow the pptp traffic. That's
what the "sysopt connection permit-pptp" does. It looks for pptp packets
and allows them to bypass nat/conduit requirements. See CCO if anyone
doesn't believe me!! If you just need to pass pptp to a MS server, then just
create a couple conduits ( you can find that on CCO somewhere ).

Also, I vote for the PIX as a router - with strong ass rules. The reason is
that you can setup a network like this:

Internet---->pix---->router---->router----><user> and the pix will forward
 key word ) the packet to the user once it passes certain rules. Hence a
router. I know Cisco does not consider it a router, but I have my own
opinion!

Good luck. Kenny

----- Original Message -----
From: "Jim Bond" <trycisco@yahoo.com>
To: <cisco@groupstudy.com>
Cc: <ccielab@groupstudy.com>
Sent: Saturday, October 28, 2000 6:00 PM
Subject: PIX PPTP, no NAT

> Hello,
>
> I'm trying to set up PIX PPTP without NAT but no
> success. Cisco gives a sample config using NAT
> http://www.cisco.com/warp/public/110/pptppix.html but
> I don't understand why they use 192.168.1.0.
>
> Here is my topology:
> 172.16.1.0/24(outside)---PIX---(inside)172.16.2.0/24
> I create a pool 172.16.1.100-172.16.1.200, but users
> from outside can't reach internal network.
>
> Any suggestion?
>
> Thanks in advance.
>
>
> Jim
>

• Next message: Jay Hennigan: "Re: ISDN Bri0:1"
• Previous message: Tony Medeiros: "O.T. Anybody know of a good HTTP or Ecommerce book"
• Maybe in reply to: Jim Bond: "PIX PPTP, no NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:32 GMT-3