RE: VPN ACROSS PIX

From: Darryl Munro (Darryl.Munro@computerland.co.nz)
Date: Mon Jan 06 2003 - 23:07:33 GMT-3

If you are doing Win 98 to Windows 2000 VPN it seems to me that you are
using PPTP so you would have more luck looking at port 1723, here is a URL
than may shed some more light on what you are trying to do.

 

VPNs
<http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/inbe/in
be_vpn_ymsi.asp> and Network Address Translators

 

HTH

 

Cheers

Darryl Munro

 

-----Original Message-----
From: ???Roger [mailto:roger@sysage.com.cn]
Sent: Tuesday, 7 January 2003 2:15 p.m.
To: Sam Munzani; ccielab@groupstudy.com
Subject: rpy: VPN ACROSS PIX

 

Hi sam

because I am so poor in vpn can you tell me more about why open up inbound
ESP and vpn use udp/500 not tcp

"inbound ESP" what's means ;

 

 

-----????-----

???: Sam Munzani [mailto:sam@munzani.com]

????: 2003?1?6? 23:03

???: ???Roger; ccielab@groupstudy.com

??: Re: VPN ACROSS PIX

 

VPN client does not work when you do PAT. If you are already doing NAT, open
up inbound ESP, UDP/500 and you would be fine.

 

Sam Munzani

CCIE # 6479 (R&S, Security)

 

>

> I want to configure vpn client (win2000/win98) connect VPN gateway
(win2000

> server ) across pix515e(ur)

> I try to do !But I failure what I should to do in pix !how to config pix
515e

>

> Vpn client (win2000/win98)--------**PIX515e ----------------------**vpn

> gateway (win2000 server)

>

> Pix configure

> PIX Version 6.2(2)

> nameif ethernet0 outside security0

> nameif ethernet1 inside security100

> enable password fmAN7Xt.r3eoK4vC encrypted

> passwd aXha9uJboq3B.Dje encrypted

> hostname pixfirewall

> fixup protocol ftp 21

> fixup protocol http 80

> fixup protocol h323 h225 1720

> fixup protocol h323 ras 1718-1719

> fixup protocol ils 389

> fixup protocol rsh 514

> fixup protocol rtsp 554

> fixup protocol sqlnet 1521

> fixup protocol sip 5060

> fixup protocol skinny 2000

> no fixup protocol smtp 25

> names

> pager lines 24

> logging on

> interface ethernet0 auto

> interface ethernet1 auto

> mtu outside 1500

> mtu inside 1500

> ip address outside 211.157.16.69 255.255.255.248

> ip address inside 192.168.0.253 255.255.255.0

> ip audit info action alarm

> ip audit attack action alarm

> pdm history enable

> arp timeout 14400

> global (outside) 1 211.157.16.65

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

> static (inside,outside) 211.157.16.66 192.168.0.101 n

> access-group 2 in interface outside

> route outside 0.0.0.0 0.0.0.0 5.0.0.2 1

> timeout xlate 3:00:00

> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00

> p 0:30:00 sip_media 0:02:00

> timeout uauth 0:05:00 absolute

> aaa-server TACACS+ protocol tacacs+

> aaa-server RADIUS protocol radius

> aaa-server LOCAL protocol local

> http server enable

> http 192.168.0.135 255.255.255.255 inside

> no snmp-server location

> no snmp-server contact

> snmp-server community public

> no snmp-server enable traps

> floodguard enable

> no sysopt route dnat

> telnet 192.168.0.131 255.255.255.255 inside

> telnet 192.168.0.135 255.255.255.255 inside

> telnet 192.168.0.233 255.255.255.255 inside

> telnet timeout 5

> ssh timeout 5

> terminal width 80

> Cryptochecksum:41eaae1aa8a0d3491d88baa8d2d07362

> : end

> pixfirewall#

> ------------------------------------------

> BEST WISH WITH YOU !!!

> Sysage Group/Beijing Cyberplus Tech. Co.,Ltd.

> Tel : (86-21) 3308-0238 #135

> Fax : (86-21) 6384-3377

> E-mail: ROGER@SYSAGE.COM.CN <mailto:ROGER@SYSAGE.COM.CN>

> .

.

[GroupStudy.com removed an attachment of type application/octet-stream which had a name of Darryl Munro.vcf]
.

This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:43 GMT-3