PPTP through PIX timeout?
We have a customer that has internal clients connecting to an outside PPTP server through a PIX firewall.
PPTP setup works fine, but after 3 minutes the PPTP connection goes down. We are sure the PIX is the problem.
The PIX is configured for PAT, because the customer has only 1 public IP adres. Fixup PPTP 1723 is configured.
Does anyone know why this happens and how we can fix this?
Hi all.
We have same problem.
Throgh PIX pptp sessions end after few minutes... while through other connections (other firewall, direct connection to internet and so on...) remain up properly...
We have pix 7.0(2) release (we can't upgrade to 7.0(4) because with this release pptp sessions don't work at all....
Thanks
Similar Messages
-
I wanted to know if I can take an video source from a public IP address through my PIX, using the static command, to a multi-cast address like 224.2.0.1. Is this possible or not? If not what would be another way to do it?
Yes, using a static command you can take video source from a public ip address through pix
-
VPN PPTP SBS2003 LCP: timeout sending Config-Requests
When using a 3rd party app (DigiTunnel), I can connect to my office network (Windows Small Business Server Premium 2003R2).
Using Internet Connect in 10.4.11, it worked a few times then stopped.
Here's the connection log:
PPTP connection established.
Using interface ppp0
Connect: ppp0 <--> socket[34:17]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x368b037d> <pcomp> <accomp>]
*LCP: timeout sending Config-Requests*
Connection terminated.
PPTP disconnecting...
PPTP disconnected
Any suggestions? TIAVPN has been a continuing issue in or organisation. There could be more than one issue problem causing the issues we have, however we have found that our Netgear router appears to have issues. After a bit of research on other forums I found other people who had flagged other Netgear routers as having similar issues and that VPN connections could be reestablished buy turning on and off settings with in the control panel for the router. Doing so jogs it working again for no apparent reason, even when the resulting settings are exactly the same as before.
It is because of this reason and other issues I have had with other Netgear routers that I have decided that I cant fully fix our issues with VPN until we have replaced our router with something more suitable. -
We have IP VTC going from a Tandberg Video Conferencing bridge to a distant Tandberg and it was dropping because of the Timeout settings to I increased the timeouts and it was fine but now it intermittently fails anyone seen this before.
Are you using a gateway or border controller in network? send the details of the current problem along with a "show run" & "show version" from your PIX.
-
Streaming WMT (netshow) through PIX with Cache Engine
Hello:
I am trying to stream WMT from a pre-loaded Cache engine through a PIX firewall. I would like to use UDP for the streaming, but when I start the streaming TCP is selected by default. Forcing UDP within Windows causes an error. The PIX doesn't allow the UDP traffic through since it didn't originate from the inside. Outside the firewall UDP only works if I force it. TCP is the default. First, is UDP the best way to do this or is TCP ok since it is comming from the Cache engine? Second, how can I change the Cache engine setup to default to UDP or is this not possible?
Thank you,
Hampton Saussy
Midlands Technical CollegeWe had a similar issue. If the firewall is not configured to accept TCP ports, then the streaming video server will perform HTTP cloaking i.e Instead of using the TCP ports it will use HTTP port 80 to get through the firewall, then the server sends the streaming video data via UDP. If UDP cannot pass through the firewall, the client requests delivery via TCP. The fixup rtsp command lets PIX Firewall pass RTSP (Real Time Streaming Protocol) packets. This command does not fix RTSP UDP connections. So I guess using TCP is a better option.
-
XPunlimited connection through Pix 506e
I have a Pix506e that I need to open port 3389 for remote connection to a Win2003 server that is running XPunlimited for 2003 Servers. I have searched the internet and have tried numerous different access list commands to try and make this work. What I'm looking for is a CCNE that can help me get this going and maybe look at my existing configuration file to tell me what isn't set up properly.
You bet....here it is
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password wVolyRqUC55O9Zpf encrypted
passwd wVolyRqUC55O9Zpf encrypted
hostname TOS
domain-name
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list nat0 permit ip 172.20.10.0 255.255.255.0 172.20.11.0 255.255.255.0
access-list acl-out permit tcp any interface outside eq pcanywhere-data
access-list acl-out permit udp any interface outside eq pcanywhere-status
access-list acl-out permit tcp any host eq pcanywhere-data
access-list acl_out permit udp any host eq 5631
access-list acl_out permit tcp any host eq pcanywhere-data
access-list acl_out permit udp any host eq pcanywhere-status
access-list acl_out permit tcp any host eq 3389
access-list acl_out permit udp any host eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 172.20.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.20.11.1-172.20.11.10
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data 172.20.10.51 pcanywhere-da
ta netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 172.20.10.51 pcanywhere-
status netmask 255.255.255.255 0 0
access-group acl-out in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpn1 esp-des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set vpn1
crypto map seabrook 1 ipsec-isakmp dynamic dynmap
crypto map seabrook interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 1000
vpngroup sclient address-pool vpnpool
vpngroup sclient split-tunnel nat0
vpngroup sclient idle-time 1000
vpngroup sclient password ********
telnet 172.20.10.0 255.255.255.0 inside
telnet timeout 5
ssh 24.61.165.168 255.255.255.248 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80 -
Moving a dial-in PPTP from PIX to Router (IOS)
I've moved a dial-in PPTP config from a PIX to a IOS router, but I cannot find the equivalent IOS commands for the PIX config:
vpdn group 1 client configuration dns x.x.x.x
and
vpdn group 1 client configuration wins x.x.x.x
Anybody know what the equivalent IOS config is?Following URL will help you for the details of the PPTP configuration :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml -
Hi ,
i have a CISCO PIX Firewall running version Version 7.2(4)......
i want to know how many connection of SIP can be handled by PIX firewall. what is the default limit.
Actually we have a two setup of sip , one with Juniper firewall and one with pix different location. earlier i was facing issue with juniper that the Dialer not able to send call to user,
during troubleshooting i found that in Juniper there is ALG which have sip enabled with 64 maximum limit.. so i diabled and all calls working fine.
Now the question is voice vendor telling me the the same issue facing by user behind PIX Firewall.Hi ,
i have a CISCO PIX Firewall running version Version 7.2(4)......
i want to know how many connection of SIP can be handled by PIX firewall. what is the default limit.
Actually we have a two setup of sip , one with Juniper firewall and one with pix different location. earlier i was facing issue with juniper that the Dialer not able to send call to user,
during troubleshooting i found that in Juniper there is ALG which have sip enabled with 64 maximum limit.. so i diabled and all calls working fine.
Now the question is voice vendor telling me the the same issue facing by user behind PIX Firewall. -
Error while creating user on Unix through OIM timeout waiting for user password
Hello all ,
we made integration with Unix using connector , while creating user we receive the following error
<Jun 27, 2013 1:30:14 PM AST> <Error> <ORACLE.IAM.CONNECTORS.ICFCOMMON.PROV.ICPROVISIONINGMANAGER> <BEA-000000> <oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : createObject : Error while creating user
org.identityconnectors.framework.common.exceptions.ConnectorException: Exception occured while setting the password.org.identityconnectors.framework.common.exceptions.OperationTimeoutException: Command timed-out while waiting for: new[\s](unix[\s])?password:
at org.identityconnectors.genericunix.GenericUnixConnection.setUserPassword(GenericUnixConnection.java:866)
at org.identityconnectors.genericunix.operation.GenericUnixCreate.setUserPassword(GenericUnixCreate.java:193)
at org.identityconnectors.genericunix.operation.GenericUnixCreate.analyzeResult(GenericUnixCreate.java:233)
at org.identityconnectors.genericunix.operation.GenericUnixCreate.createOp(GenericUnixCreate.java:180)
at org.identityconnectors.genericunix.operation.GenericUnixCreate.create(GenericUnixCreate.java:111)
at org.identityconnectors.genericunix.GenericUnixConnector.create(GenericUnixConnector.java:200)
at org.identityconnectors.framework.impl.api.local.operations.CreateImpl.create(CreateImpl.java:80)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:93)
at $Proxy363.create(Unknown Source)
any one can support me how to fix thisTry increasing the commandTimeout from 100seconds to 200seconds and see if this works?
Also, look at the Section 5.2.5 in the connector doc. -
Some command to make PIX 515 E to do "IPsec passthrough"?
Some routers sold out there, eg my LinkSys WRT54GC, has the "IPsec passthrough" integrated in it. This is very useful in the case when the remote firewall doesn't have the NAT traversal enabled (and it's difficult to ask that admin to enable it).
I'm wondering if there's any command to make a PIX (515E) to have this function. Anyone knows?I know those are nice features that are already enabled on linlsys devices, but these are meant to be more of a PnP devices where no other configuration is required by the end user when in comes to IPsec or PPTP.
On the other hand on PIX/ASA firewalls this is not the case or a IOS router Ipsec capable.
In these cases Ipsec VPN ports as well as MS PPTP ports if using microsoft vpn clients need to be explicitly be opened for clients inside be able to VPN outbound.
When using cisco vpn client from inside PIX/ASA to connect to an outside RA you simply need Ipsec pass through inspection configured in your global policy for code 7.x and above.
For PIX/ASA running again code 7.x or above inspection of Ipsec-pass-thru must be enabled in global policy.
i.e cisco vpn client
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
for PPTP
policy-map global_policy
class inspection_default
inspect PPTP
For PIX 6.x you need to open up Ipsec ports udp 500(isakmp), udp 4500(nat-t) and protocol 50 (esp) and apply the acl to PIX outside interface.
i.e
access-list 101 permit udp any any eq 500 log
access-list 101 permit udp any any eq 4500 log
access-list 101 permit esp any any log
Also it is recommended to enable nat traversal:
isakmp nat-traversal 20
The same principle applies on routes, just for reference , for example for MS PPTP it would required tcp 1732 and GRE protocol.
access-list 101 permit tcp any any eq 1723 log
access-list 101 permit gre any any log
Interface
ip access-group 101 in
or for both IPsec and PPPT
access-list 101 permit udp any any eq 500 log
access-list 101 permit udp any any eq 4500 log
access-list 101 permit esp any any log
access-list 101 permit tcp any any eq 1723 log
access-list 101 permit gre any any log
Interface
ip access-group 101 in
Here are couple of links for reference if you would like to read them.
PPTP through firewalls
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml
IPsec pass through Cisco firewalls
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1522169
If you have any problems implementing it let us know, its prety much straight forward once you open up the required ports.
HTH
Bst Rgds
-Jorge
PLS Rate any helpful posts if it helps -
How can I avoid Thunderbird timeouts when switching network connections?
I'm using Thunderbird 24.4.0 but this problem goes back many releases.
This problem happens when I switch from an external WiFi network to my company's internal LAN (ethernet).
I'm connected to the company's email server via WiFi from home and can get and receive email no problem. I then turn off the WiFi, put the laptop to sleep, take it to work, wake it up, and plug in the Ethernet cable. I click on Get Mail and in the status bar at the bottom it says "Connecting to [servername] ..." and stays that way until I get a notification that Thunderbird timed out. I click on Get Mail again and this time it says "Connected to [servername] ..." and it gets my email. (It may have briefly said "Connecting to" prior to "Connected to" but I think I've only seen that once.)
Why does it never work the first time but has to timeout before it will successfully connect, and what can I do to get it to connect without having to go through a timeout cycle?
Thanks,
--SteveNetworking is an area of some frustration. Recently, some bug reports are seeing progress. The place to be to test these fixes is in development builds
Note yet fixed:
https://bugzilla.mozilla.org/show_bug.cgi?id=939318
NetworkLinkService should be enabled so Necko can respond to network changes (not offline auto-detection)
https://bugzilla.mozilla.org/show_bug.cgi?id=972262
DNS cache is not flushed/re-initialized when toggling offline/online
fixed in tb30:
https://bugzilla.mozilla.org/show_bug.cgi?id=981513
dns cache grace period error busting too aggressive
https://bugzilla.mozilla.org/show_bug.cgi?id=981447
dns cache too sticky!
fixed in tb30 -
Multiple MX records with PIX and ASA5510
I need some help with a setup for email.
Setup
I have a PIX525 and an ASA5510VPN and an internal 2950 router. The PIX does firewalling and the ASA does VPN. Currently all outbound Internet traffic goes through the PIX via the router with this command:
ip route 0.0.0.0 0.0.0.0 10.1.1.2 1
The ASA5510 with its dedicated external IP is used to allow VPN traffic in.
The problem:
I have two separate domain names and two MX records. One (mail.PIX.com)is pointed at the external IP of the PIX the other (mail.ASAVPN.com) is pointed at the ASA5510. I can receive inbound mail through both of the devices. I'd like to mail go out using both domains one through PIX and the other thru ASA. The problem is the router says all unknown traffic go to PIX.
How do I route mail from a host (10.1.1.5) to the ASA5510(10.1.1.4), while sending the mail from host (10.1.1.3) to PIX(10.1.1.2)I am not folliwing something here. If your gateway for 10.1.1.5 is truly set to the ASA and the ASA has the nat rule on the outside for the 10.1.1.5 address there should be no issue. It sounds like you are sending your traffic back out the pix interface. If your gateway is the 10.1.1.254 address the router will send the traffic to the PIX or redirect you to do so with an ICMP redirect.
Just the simple fact that it's coming out with the wrong external address leads me to beleive that that is the issue.
Any configs/route tables on the servers and firewalls would help. -
SNMP from CW through firewall w/out nat
I have to configure a fwsm context with a new vlan to manage external customer routers. I dont want to nat the nms ip but can't seem to get a reply after adding the nat statement. Any info on snmp through pix's would be very helpful.
configure route to nms,,, done
configure nat statement in context using no nat,,, done
Is it the return? do I need to add an xlate or global statement?You have the route to your NMS in the customer routers too? What do your logs say? Can you post the relative info on the PIX and router?
-
Hi, guys
I have a pc running windows 7 and this pc cant connect PPTP VPN server which is a public server.
Any help?
Nice DayHi,
Thank you for your post here.
Firstly you should allow TCP 1723 and GRE protocol on TMG. You also need to confirm your client type, it cannot be web proxy.
Additionally, we need your provide TMG live logging for us.
There is also a similar article for your reference:
http://social.technet.microsoft.com/Forums/forefront/en-US/149d061b-d5a7-470e-a0eb-e8dbdd103f44/pptp-through-tmg
Best Regards
Quan Gu -
PIX515E and simple LAN setup question
Hello all,
I am trying to setup an Cisco PIX 515E.
Outside interface is connected to internet.
Inside interface is connected to inside private LAN.
I am able to use http traffic from inside LAN. However, I have problem with DNS and Ping.
I can not ping inside FW interface from LAN clients (this is also GW for LAN clients), because LAN address is NATed to outside interface address. ( I see this with debug icmp trace)
I can not ping outside addresses from LAN clients. When debugging icmp at FW, I can see ping request is received back to FW, but not from FW to client.
DNS is not working. DNS server is public IP address. It seems DNS querys is not passed through FW.
Basicly, I want to access internet through PIX FW. Can anyone give me some tips what to do here?Its not the outside interface I want to ping, Its outside hosts on the internet I want to ping through outside interface.
Here is my current config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password encrypted
passwd encrypted
hostname fw
domain-name something.no
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Internet tcp
description Standard Internet trafikk
port-object eq www
port-object eq https
access-list inside_access_in remark Traffic out
access-list inside_access_in remark
access-list inside_access_in permit icmp 172.16.1.0 255.255.255.0 any
access-list inside_access_in remark icmp
access-list inside_access_in permit tcp any any
access-list inside_access_in remark Trafic out
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 194.xx.xx.34 255.255.255.248
ip address inside 172.16.1.1 255.255.255.0
ip address DMZ 194.xx.xx.41 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (inside) 200 interface
nat (inside) 200 172.16.1.0 255.255.255.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 194.xx.xx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.200-172.16.1.210 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Maybe you are looking for
-
Exchange 2010 Content Conversion problem
Hi All Since a bunch of month, i've started to see some email stuck in the submission queue with this message: 400 4.4.7 The server responded with: 550 5.6.0 M2MCVT.StorageError; storage error in content conversion. The failure was replaced by a retr
-
Hi. I'm currently experience a bug in story editor that is making it very hard to edit text effectively. The Story Editor works fine for a short while (maybe five minutes, sometimes a little longer), but then does odd things when selecting text. If I
-
Itunes does not start when iphone connected
i have recently purchased new pc running windows 8.1. i have installed and used itunes with no problems until today. itunes doesn't open when iphone is connected and doesn't recognise the device after itunes update and restart. Any suggestions how to
-
Captured clip length or duration inaccurate
I can't figure out what's happening but I've captured a projected as uncompressed 8-bit (but I've tried others as well) and for some reason the initial clip duration is 80 minutes and works fine in QT but in FCP it shows up as 59 seconds. I can not g
-
Hello, i appreciate the new features of facebook, the stickers and chat heads, and i would like to enjoy free live wallpapers as android customers having them for free thanks a lot